cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1899
Views
0
Helpful
12
Replies

Can not browse after applied sfr service policy in outside and inside

Maivoko
Level 1
Level 1

ASA only can browse

 

but After applied sfr , can not browse

 

if it is state firewall , do I need to allow 

from outside port 443 to inside private network or NAT address?

 

 

12 Replies 12

Abheesh Kumar
VIP Alumni
VIP Alumni

Hi,

Please create the redirection policy like below and try.

!

access-list sfr_redirect extended permit ip any any
!
class-map sfr
match access-list sfr_redirect
!
policy-map global_policy
class sfr
sfr fail-open
!

service-policy global_policy global

 

HTH

Abheesh

This is permit all , will it have security risk ?

 

because sfr is applying outside too

No, Its permiting all traffic to go via SFR for insoection. You can create block rules in SFR as well . All your other deny rules will work as per the ASA accesslist.

 

HTH

Abheesh

Can not apply access list in real practice

attached screen capture

 

what should do next?

Marvin Rhoads
Hall of Fame
Hall of Fame

You have some very restrictive Deny statements in your Access Control Policy. It's very likely they are blocking the traffic.

But first two rules allowed traffic first
The default rule and deny will not apply

I succeed to use firepower to browse web
After remove ASA accesslist in console config
Then only apply firepower’s own access list

 

Country allow United States, United Kingdom , France, Germany, Canada , Japan , Singapore , Taiwan

 

it seems fulfil requirement of content distribution network 


But I can not access amazon web and amazon console app in iPhone

Did you configure any block application specific rule in ACP.

First allow rule is DNS

second allow rules is http and https

default IPS policy i use security over connectivity

 

application allow in second rule are amazon and google 

then the rest block

i did not block application deliberately.

i think they are allowed in second rules

can you share a packet tracer output for amazon IP

Amazon use content distribution network

i shutdowned firewall 

may be I try it tomorrow

not easy to tune and fit the optimal setting

 

is there any statistics commands that are for firepower, in ASA console?

 

when I try to classify traffic into countries 

i feel clumsy to create many same rule for just one country.

 

where can set maximum connection in Firepower ? 

I want to narrow the connection to my current using two applications, chrome and Mstsc Remote Desktop only

 

where can Filter Java in Firepower and will it influence HSBC transaction in iPhone and notebook ?

 

actually I still have not tested stock trading or transfer money with Firepower , I afraid of failure in part of transactions because application I only choose amazon and google , what should I choose application for banking application?

Today I tested again

i change to balanced security and connectivity

then I remove all amazon and google applications in access policy

 

I succeed to use amazon console app in iPhone

but can not see the configuration page after login amazon cloud web in notebook

 

Succed to remote control window of amazon cloud but have several times of connection cut before succeed

 

Review Cisco Networking for a $25 gift card