Can not browse after applied sfr service policy in outside and inside

Maivoko · ‎11-24-2018

ASA only can browse

but After applied sfr , can not browse

if it is state firewall , do I need to allow

from outside port 443 to inside private network or NAT address?

Abheesh Kumar · ‎11-24-2018

Hi,

Please create the redirection policy like below and try.

!

access-list sfr_redirect extended permit ip any any
!
class-map sfr
match access-list sfr_redirect
!
policy-map global_policy
class sfr
sfr fail-open
!

service-policy global_policy global

HTH

Abheesh

Maivoko · ‎11-25-2018

This is permit all , will it have security risk ?

because sfr is applying outside too

Abheesh Kumar · ‎11-25-2018

No, Its permiting all traffic to go via SFR for insoection. You can create block rules in SFR as well . All your other deny rules will work as per the ASA accesslist.

HTH

Abheesh

Maivoko · ‎11-26-2018

Can not apply access list in real practice

attached screen capture

what should do next?

Marvin Rhoads · ‎11-26-2018

You have some very restrictive Deny statements in your Access Control Policy. It's very likely they are blocking the traffic.

Maivoko · ‎11-26-2018

But first two rules allowed traffic first
The default rule and deny will not apply

Maivoko · ‎12-27-2018

I succeed to use firepower to browse web
After remove ASA accesslist in console config
Then only apply firepower’s own access list

Country allow United States, United Kingdom , France, Germany, Canada , Japan , Singapore , Taiwan

it seems fulfil requirement of content distribution network

But I can not access amazon web and amazon console app in iPhone

Abheesh Kumar · ‎12-27-2018

Did you configure any block application specific rule in ACP.

Maivoko · ‎12-27-2018

First allow rule is DNS

second allow rules is http and https

default IPS policy i use security over connectivity

application allow in second rule are amazon and google

then the rest block

i did not block application deliberately.

i think they are allowed in second rules

Abheesh Kumar · ‎12-27-2018

can you share a packet tracer output for amazon IP

Maivoko · ‎12-27-2018

Amazon use content distribution network

i shutdowned firewall

may be I try it tomorrow

not easy to tune and fit the optimal setting

is there any statistics commands that are for firepower, in ASA console?

when I try to classify traffic into countries

i feel clumsy to create many same rule for just one country.

where can set maximum connection in Firepower ?

I want to narrow the connection to my current using two applications, chrome and Mstsc Remote Desktop only

where can Filter Java in Firepower and will it influence HSBC transaction in iPhone and notebook ?

actually I still have not tested stock trading or transfer money with Firepower , I afraid of failure in part of transactions because application I only choose amazon and google , what should I choose application for banking application?

Maivoko · ‎01-04-2019

Today I tested again

i change to balanced security and connectivity

then I remove all amazon and google applications in access policy

I succeed to use amazon console app in iPhone

but can not see the configuration page after login amazon cloud web in notebook

Succed to remote control window of amazon cloud but have several times of connection cut before succeed

Can not browse after applied sfr service policy in outside and inside

ASR9K:show policy-map interface にて Service Policy not installing となる

NAT 使用時に Outside から Inside に Traceroute を実施する場合の注意点

ACI Policy Based Redirect Service Graph 設定 (PBR設定)

SD-WAN: cEdge の SVI に ip nat inside/outside を設定できない

【原创】ASA With SFR模块的SNMP问题