Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1616
Views
15
Helpful
5
Replies

ASA5516-X w/FirePOWER - Default Gateway

michael.smith
Level 1
Level 1

‎08-19-2016 07:29 AM - edited ‎03-12-2019 01:09 AM

I'm setting up some ASA5516s, and I'm a little confused on the default gateway setting on the firepower module.

I've read that in 'inline' mode, you set the default gateway to the ASA5516 inside interface.  And in 'passive' or 'sniff' mode you set it to the routers (on the inside network) interface

I originally had it the default gateway set to the asa5516 inside interface, but could not reach it from a remote network...it was causing an asymmetric route.  I then changed the default gateway to the inside routers interface and everything is working fine.

The issue is i do not want to set up the firepower module in passive mode...i want it inspecting all the traffic and implementing any rules that it deems fit.

Am i doing this correctly?

Labels:
0 Helpful
5 Replies 5

Guido Arturo Catalano
Level 1
Level 1

‎04-26-2018 06:39 AM

SFR is a transparent device.

The default route is used for management/updates only.

Marius Gunnerud
VIP
VIP

‎04-26-2018 08:53 AM

As Guido has already mentioned, that default route is purely for management access and other management functions.  As for inline inspection the redirection is done via ACLs that are called in a policy-map configured on the ASA.  Communication between the ASA and SFR happen on the backplane.

--
Please remember to select a correct answer and rate helpful posts

Florin Barhala
Level 6
Level 6
In response to Marius Gunnerud

‎04-26-2018 12:10 PM

Let's say I run out of license - or some bad configuration is applied through FMC server. If users start complaining - is it enough to disable SFR from global_policy ? Will it immediately release all previously inspected traffic?

Thanks!
0 Helpful

Marius Gunnerud
VIP
VIP
In response to Florin Barhala

‎04-26-2018 12:50 PM

Yes, I have had to do this several times as we ran into performance issues with 5585 running SFR modules. 

I have also done this during upgrades so I can do the upgrade during normal work day and not late night service window.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Guido Arturo Catalano
Level 1
Level 1
In response to Florin Barhala

‎04-26-2018 02:16 PM

You can change the policy to monitor-only.
This way, SFR receive a copy of traffic but can't affect or block traffic.

class-map sfr
match access-list sfr_mpc

policy-map global_policy
class sfr
no sfr fail-open
sfr fail-open monitor-only
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card