Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3141
Views
0
Helpful
3
Replies

ASA5506-X/ ASDM/ Firepower: How to match traffic to send it to Firepower?

ac5nwdude
Level 1
Level 1

‎11-21-2018 04:06 AM - edited ‎03-12-2019 07:06 AM

Hello folks,

 

I have a hard time getting my head around Firepower deployment on ASA5506-X, managed with ASDM. I'm trying to follow the manuals but just don't get it.

 

Could anybody tell me the configuration needed (CLI) to match traffic that should be send to firepower for inspection?

 

What I want to achive is:

 

- match all traffic for firepower inspection except traffic from RFC1918 sources to RFC1918 destinations.

 

Or in ither words: How do I use policy-map, class-map and ACL in combination to match traffic involving public networks and configure everything so that this traffic is redirected to the Firepower module for inspection? And do I have to care for the reverse path myself, or is the matching somehow "stateful"?

 

Sorry, I'm sure these are stupid questions, but I really don't get how to do this.

 

Platform is ASA5506-X 9.8,

ASDM 7.8(2)

Firepower 6.2.2

 

Thank you in advance for any input!

Labels:
0 Helpful
3 Replies 3

matty-boy
Level 1
Level 1

‎11-21-2018 04:42 AM

Hello,

 

Create an ACL to match the traffic that you want to inspect (let's say the ACL is called sfr_redirect), then reference the ACL in a class map and policy map like this....

 

ciscoasa(config)# class-map sfr
ciscoasa(config-cmap)# match access-list sfr_redirect
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open [or fail-close. Add monitor-only for IDS mode]

 

I would suggest your access-list should be permit ip any any to catch any internal to internal suspicious traffic rather than just traffic to/from the Internet.

 

Then in the Firepower you need to create an Access Policy to match all traffic and ensure you have inspection enabled.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc12

 

Hope this helps,

Matt.

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-21-2018 05:07 AM - edited ‎11-21-2018 05:09 AM

Hi,
As you would like to inspect only the traffic from internet. use the below syntax to inspect traffic only from internet.
!
object-group network RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
!
object-group network RFC-1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
!
access-list sfr_redirect extended deny ip object-group RFC1918 object-group RFC-1918
access-list sfr_redirect extended permit ip any any
!
class-map sfr
match access-list sfr_redirect
!
policy-map global_policy
class sfr
sfr fail-open
!

service-policy global_policy global


HTH
Abheesh

0 Helpful

ac5nwdude
Level 1
Level 1

‎11-21-2018 09:37 AM

Hello guys,

 

thank you very much for your input! Turned out we already did it like this..

 

  • We still see no events in ASDM -> Monitoring -> Firepower
  • A "tcpdump -i eth0" in expert mode on the Firepower module shows nearly exclusively udp traffic
  • Although this looks kinda good to me:

 

%ASA-6-302013: Built outbound TCP connection 503 for OUTSIDE_WAN:169.55.69.156/443 (169.55.69.156/443) to INSIDE_LAN:10.16.6.10/63482 (10.16.9.1/63482)
%ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from INSIDE_LAN:10.16.6.10/63482 to OUTSIDE_WAN:169.55.69.156/443 locally
%ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from OUTSIDE_WAN:169.55.69.156/443 to INSIDE_LAN:10.16.9.1/63482 locally

 

When I interpret this right, Firepower saw a TCP flow, approved it as valid/secure and told the ASA to handle the rest of this flow herself, without redirecting it to FP - or am I wrong?

 

This is how we do it:

 

 

!
access-list global_mpc extended permit ip any any
!
class-map global-class
 match access-list global_mpc
!
policy-map global-policy
 class global-class
 sfr fail-close
!
service-policy global-policy global
!

 

 

Output from show module:

 

...
Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.2.2-81
...

 

 

Output from show summary on the FP module:

 

 

Configure> show summary 
-------------------[ firepower ]--------------------
Model                     : ASA5506 (72) Version 6.2.2 (Build 81)
UUID                      : XXXXXXXXXXXXXX
Rules update version      : 2016-11-29-001-vrt
VDB version               : 271
----------------------------------------------------

------------------[ policy info ]-------------------
Access Control Policy     : Default Allow All Traffic

------------------[ OUTSIDE_WAN ]-------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
-------------------[ INSIDE_LAN ]-------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
----------------------[ OOB ]-----------------------
Physical Interface        : GigabitEthernet1/3
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : XXXXXXXXXXXXXX
IPv4 Address              : XXXXXXXXXXXXXX
----------------------[ tun1 ]----------------------
IPv6 Address              : XXXXXXXXXXXXXX
---------------------[ tunl0 ]----------------------
----------------------------------------------------

---------------[ snort version info ]---------------
Snort Version             : 2.9.11 GRE (Build 125) 
libpcap Version           : 1.1.1
PCRE Version              : 7.4 2007-09-21
ZLIB Version              : 1.2.5
----------------------------------------------------

 

This post in the Cisco Community ( https://community.cisco.com/t5/firepower/no-real-time-logging-on-asdm-with-firepower-5-4-1-4-15/m-p/2786322/highlight/true#M136 ) sounds a bit like we're affected by a bug that was actualle fixed in FP 6.0 - but as it seems not under all conditions.. We'll open a TAC on this, too.

 

Again, thank you very much so far!

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card