Showing results for 
Search instead for 
Did you mean: 

Can not browse after applied sfr service policy in outside and inside

Level 1
Level 1

ASA only can browse


but After applied sfr , can not browse


if it is state firewall , do I need to allow 

from outside port 443 to inside private network or NAT address?



12 Replies 12

Abheesh Kumar
VIP Alumni
VIP Alumni


Please create the redirection policy like below and try.


access-list sfr_redirect extended permit ip any any
class-map sfr
match access-list sfr_redirect
policy-map global_policy
class sfr
sfr fail-open

service-policy global_policy global




This is permit all , will it have security risk ?


because sfr is applying outside too

No, Its permiting all traffic to go via SFR for insoection. You can create block rules in SFR as well . All your other deny rules will work as per the ASA accesslist.




Can not apply access list in real practice

attached screen capture


what should do next?

Marvin Rhoads
Hall of Fame
Hall of Fame

You have some very restrictive Deny statements in your Access Control Policy. It's very likely they are blocking the traffic.

But first two rules allowed traffic first
The default rule and deny will not apply

I succeed to use firepower to browse web
After remove ASA accesslist in console config
Then only apply firepower’s own access list


Country allow United States, United Kingdom , France, Germany, Canada , Japan , Singapore , Taiwan


it seems fulfil requirement of content distribution network 

But I can not access amazon web and amazon console app in iPhone

Did you configure any block application specific rule in ACP.

First allow rule is DNS

second allow rules is http and https

default IPS policy i use security over connectivity


application allow in second rule are amazon and google 

then the rest block

i did not block application deliberately.

i think they are allowed in second rules

can you share a packet tracer output for amazon IP

Amazon use content distribution network

i shutdowned firewall 

may be I try it tomorrow

not easy to tune and fit the optimal setting


is there any statistics commands that are for firepower, in ASA console?


when I try to classify traffic into countries 

i feel clumsy to create many same rule for just one country.


where can set maximum connection in Firepower ? 

I want to narrow the connection to my current using two applications, chrome and Mstsc Remote Desktop only


where can Filter Java in Firepower and will it influence HSBC transaction in iPhone and notebook ?


actually I still have not tested stock trading or transfer money with Firepower , I afraid of failure in part of transactions because application I only choose amazon and google , what should I choose application for banking application?

Today I tested again

i change to balanced security and connectivity

then I remove all amazon and google applications in access policy


I succeed to use amazon console app in iPhone

but can not see the configuration page after login amazon cloud web in notebook


Succed to remote control window of amazon cloud but have several times of connection cut before succeed


Review Cisco Networking for a $25 gift card