Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1025
Views
0
Helpful
3
Replies

Bypass SFR module from ASA5585-X

ciscoproxy
Level 1
Level 1

‎05-18-2022 12:19 AM

Hi All,

 

My client is currently intermittent network connectivity issue. And i believe it is due to the IPS. They claimed they have bypassed the IPS module but when I check the configuration, it remain intact on the ASA5. From my understanding, bypassing the IPS module entirely can be done by uninstall the module and remove the access list, class-map, policy-map and service-policy related to SFR. Please advise further.

 

 

0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎05-18-2022 01:21 AM

 

              >....and remove the access list, class-map, policy-map and service-policy related to SFR.

 - Following this document , https://www.pearsonitcertification.com/articles/article.aspx?p=2140100&seqNum=3 and or 'reversing' it , that should be correct. But you can also do the following at the client's ASA , connect to it (SSH) with , https://cway.cisco.com/cli/ , at the top left press or run 'System Diagnostics'

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Sheraz.Salim
VIP
VIP

‎05-18-2022 01:22 AM

Bypass can be done from the access-list which is called in/configured in class-map of Policy-map as mentioned in your post. normally, you deny the ip address in access-list which is working with SFR.

 

as mentioned below the config you could add the access-list with deny ip address too so it will not inspect the Layer7 Firepower IPS module

 

access-list sfr_redirect line 1 extended deny ip host 192.168.10.10 host 172.16.10.10

access-list sfr_redirect extended permit ip any any
!
class-map sfr
 match access-list sfr_redirect
!
policy-map global_policy
ciscoasa(config-pmap)# class sfr

 

the second way is if SFR is managed by FMC create the ACP rule with Trust and allow the traffic.

 

third is shutdown the SFR module

 

sw-module module sfr shutdown noconfirm

 

however shutting down the sfr you have not Layer7 inspection at all.

please do not forget to rate.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Sheraz.Salim

‎05-18-2022 12:05 PM

Note that the ASA 5585-X uses a hardware Firepower module so the "sw-module" command isn't applicable.

Otherwise @Sheraz.Salim  's suggestions are the way I'd go.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card