Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2414
Views
10
Helpful
4
Replies

ASA with firepower - order of operation

Go to solution
CSCO10576352
Level 1
Level 1

‎11-08-2018 12:24 PM - edited ‎03-12-2019 07:04 AM

Hi, I have a query with regard to how traffic is processed on a 5508-X ASA (running code 9.8(1) with a firepower module installed (firepower code 6.2.0-362).

 

The background on this is due to the recent SIP vulnerability. To mitigate against it until code upgrades can be scheduled I intend to modify the default SIP inspection policy on the ASA to drop all SIP requests with a sent-by address of 0.0.0.0 as per one of Cisco's mitigation recommendations (note this is preferable for us as opposed to disabling SIP inspection completely as the ASA SIP inspect policies are seeing hits currently and I wouldn't want to affect existing VOIP services traversing the ASA's which may be dependent on this feature).

 

With this filtering policy in place on the ASA's inspect SIP feature then assuming a SIP packet hits the ASA with a sent-by address of 0.0.0.0 what would be the logical order of operation?

 

Would the packet first be subject to the ASA access-list rules > ASA  SIP inspection policy and then be dropped without further processing by the firepower device or would the traffic still be passed to the firepower device for further inspection by its SIP policy regardless of the ASA being set up to drop the requests?

 

Thanks for taking the time to read through and I appreciate any guidance/feedback.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CSCO10576352

‎11-11-2018 11:21 PM

At any point in the processing path when a drop operation is the outcome the subsequent stages will never see the packet thus rendering them essentially blind to that particular packet.

View solution in original post

4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-08-2018 08:39 PM

A deny action by an ASA ACL on the input of a receiving interface will take precedence over anything in Firepower service module. Once the packet is dropped there it won't be processed by anything else on the appliance.

 

See Figure 2-15 here:

 

http://www.ciscopress.com/articles/article.asp?p=2730336&seqNum=7

Go to solution
CSCO10576352
Level 1
Level 1
In response to Marvin Rhoads

‎11-09-2018 10:16 AM

Hi Marvin, thanks for the reply and the link it explains the order of operation well.

 

One scenario it does not seem to address is that if traffic is dropped by the ASA's inspection policy (for example a modified SIP inspection policy to drop suspect SIP requests with a sent-by address of 0.0.0.0 )would the packets then be discarded by the ASA in a similar fashion to if it were dropped by an ACL rule on the ASA and not passed to the Firepower module for further processing by its inspection policy.

 

Thanks again for the feedback.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CSCO10576352

‎11-11-2018 11:21 PM

At any point in the processing path when a drop operation is the outcome the subsequent stages will never see the packet thus rendering them essentially blind to that particular packet.

Go to solution
CSCO10576352
Level 1
Level 1
In response to Marvin Rhoads

‎11-12-2018 12:17 AM

Thanks for the confirmation Marvin. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card