Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
1
Helpful
2
Replies

Bidirectional ASA ACL to FTD ACP

Go to solution
tahscolony
Level 1
Level 1

‎04-10-2025 12:11 PM

One of the things discovered with the Migration tool is it assumes the Inbound for an interface is default and only recognizes outbound.  I have 3 DMZ interfaces that I control traffic from servers inside the DMZ to have access to other interfaces and a big fat DENY at the end.  I then have ACE going to those servers with a big fat DENY.  I am having trouble wrapping my head around how it is now done with FMC, mainly the order in which it is done.

For Outside to DMZ1, do I start with those first, then DMZ2, and DMZ3?

Inside interface should have access fully outside, but restricted to the 3 DMZ.

One DMZ is for the WSA Proxy, but should have no access to the other two DMZ, but needs internet access and access to the inside network.

there are things in each DMZ that need to talk to things in the other DMZ on certain ports, and things inside each DMZ that need to be restricted to what they can see. 

Half of these rules got carried over.   I just am not sure which order they should be in top to bottom and if I need to add access lists inside the rules from objects.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni

‎04-11-2025 01:27 AM

migrating of ASA ACLs to Firepower Management Center (FMC) access control policies as known (ACPs), the key differences in structure and rule processing require careful re-organization/Consideration. Here this is how I would structure policy for three DMZs, internal networks, and external interfaces.

Assign each DMZ interface to a unique security zone (e.g., DMZ1, DMZ2, DMZ3) to enforce logical separation/s. Also Avoid grouping multiple DMZ interfaces under a single zone, as this can lead to unintended routing and policy overlaps and create problem.

now coming to Rule Order and Structure

Remember FTD processes rules top-down, with the first match applied. Structure your ACP as.

Category: Default (Block All) Keep the default block all rule at the bottom as a catch-all

Category: Mandatory (Explicit Allows)

Outside --> DMZ Rules

Place rules for inbound traffic (e.g., public access to DMZ servers) at the top.

(May be not very accurate but just as example) Example:Name: Allow_Web_To_DMZ1
Action: Allow
Source Zone: Outside
Destination Zone: DMZ1
Destination Networks: DMZ1_Subnet
Ports: 80, 443
Logging: Enable at connection start/end

 

Inside --> DMZ Rules

Restrict internal access to DMZs using specific source/destination networks and ports.

Example:Name: Permit_Inside_to_DMZ2_SQL
Action: Allow
Source Zone: Inside
Destination Zone: DMZ2
Ports: 1433 (SQL)

and so on....

In summary this will be someting like this.

1. Allow Outside → DMZ1 (HTTP/HTTPS)
2. Allow Inside → DMZ2 (SQL)
3. Allow DMZ1 → DMZ2 (MySQL)
4. Block DMZ3 → DMZ1/DMZ2
5. Allow DMZ3 → Outside (HTTP/HTTPS)
6. Block all other inter-DMZ traffic
7. Default Deny (implicit)

 

please do not forget to rate.

View solution in original post

2 Replies 2

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni

‎04-11-2025 01:27 AM

migrating of ASA ACLs to Firepower Management Center (FMC) access control policies as known (ACPs), the key differences in structure and rule processing require careful re-organization/Consideration. Here this is how I would structure policy for three DMZs, internal networks, and external interfaces.

Assign each DMZ interface to a unique security zone (e.g., DMZ1, DMZ2, DMZ3) to enforce logical separation/s. Also Avoid grouping multiple DMZ interfaces under a single zone, as this can lead to unintended routing and policy overlaps and create problem.

now coming to Rule Order and Structure

Remember FTD processes rules top-down, with the first match applied. Structure your ACP as.

Category: Default (Block All) Keep the default block all rule at the bottom as a catch-all

Category: Mandatory (Explicit Allows)

Outside --> DMZ Rules

Place rules for inbound traffic (e.g., public access to DMZ servers) at the top.

(May be not very accurate but just as example) Example:Name: Allow_Web_To_DMZ1
Action: Allow
Source Zone: Outside
Destination Zone: DMZ1
Destination Networks: DMZ1_Subnet
Ports: 80, 443
Logging: Enable at connection start/end

 

Inside --> DMZ Rules

Restrict internal access to DMZs using specific source/destination networks and ports.

Example:Name: Permit_Inside_to_DMZ2_SQL
Action: Allow
Source Zone: Inside
Destination Zone: DMZ2
Ports: 1433 (SQL)

and so on....

In summary this will be someting like this.

1. Allow Outside → DMZ1 (HTTP/HTTPS)
2. Allow Inside → DMZ2 (SQL)
3. Allow DMZ1 → DMZ2 (MySQL)
4. Block DMZ3 → DMZ1/DMZ2
5. Allow DMZ3 → Outside (HTTP/HTTPS)
6. Block all other inter-DMZ traffic
7. Default Deny (implicit)

 

please do not forget to rate.

Go to solution
tahscolony
Level 1
Level 1

‎04-11-2025 08:15 AM

Good, then I am on the right track.  I weeded out at LEAST 100 ACL that are no longer needed which is making it a bit easier.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card