Block traffic from outside in Firepower Device Manager (ASA 5506-X with FirePOWER Services)

tobias.gunnarsson · ‎10-11-2017

Hello, I have recently deployed a Cisco ASA 5506-X With FirePOWER Services. I am using the unified Image Firepower Threat Defence (FTD), and I am managing the Firewall with the web-based on-box management solution "Firepower Device Manager" from a machine on the local network. The setup is very basic, and it looks like this:

Everything seems to be working fine, I am using NAT and some port forwarding rules for services on the inside, but I noticed that it is possible to access the outside address (public addres obatined from my ISP) from everywhere. For example, it is possible to ping it, or acces through port 80 from anywhere on the internet.

My question is: How do I block access from the outside towards my outside interface? I have tried with Policies-> Access Control with the default action of block, but it still does not block the traffic.

I have not yet found the more traditional access-lists. There must be a way to accomplish this, and google gave me no luck.

Thanks for any thoughts.

pieterh · ‎10-11-2017

according to this document there is a separate FTD policy to configure on which interface an from wich subnets FTD can be accessed

There are 6 steps to configure HTTPS access.

Step 1. Navigate to Devices > Platform Settings

Step 2. Either edit the platform settings policy which exists as you click the pencil icon beside the policy or create a new FTD policy as you click New Policy. Select the type as Firepower Threat Defense.

Step 3. As you navigate to the HTTP section, a page appears as shown in the image.

Enable HTTP server: Enable this option to make to enable HTTP server on the FTD.

Port: Select the port on which the FTD accepts management connections.

hope this helps

tobias.gunnarsson · ‎10-11-2017

Thank you for the answer, but I am not using the FMC, I am using the on-box management solution. So I dont have that possibility.

Also, I dont want to disable the http server, which at the moment is not accesible from the outside (internet), only from the inside. I can only see that the ASA is accepting connections/ping/etc from the outside (If I am using nmap for example)

Marvin Rhoads · ‎10-11-2017

I checked my FTD virtual device and it does not reply to ping (icmp echo request) or port 80.

Do you possibly have any NAT rules or access-lists that would make any servers reachable from the outside using the interface address? If so you might be seeing a result of that.

tobias.gunnarsson · ‎10-12-2017

Thanks for the reply.

It seems like if I change the default action to "Deny" under Policies -> Access Control, then it kind of blocks port 80, but not totally. Port checker tools says the port is closed, but for me it seems more like it accepts the connection, but since no service is running, it becomes a timeout.

But the log says the following for the port 80 traffic:

AccessControlRuleName: Default Action

AccessControlRuleAction: Block

Also, my port forwarding rules does not seem to be working.

However, it still replyes to ping from the internet. What version are you on?

Here is my information:

Model Cisco ASA5506-X

Threat Defense Software 6.2.0-363

Marvin Rhoads · ‎10-12-2017

I am running FTD 6.2.2. That's the most recent and recommended release level.

DivineMuteta90931 · ‎04-15-2020

Would you mind sharing your configs SSL Decryption, Security Intelligence, NAT, Access Policies just to have an insight I have configured it correctly