cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
353
Views
6
Helpful
5
Replies

Cisco ASA 5516-X configuration converts to Firepower 1120

NeilL391
Level 1
Level 1

Hey guys,

New to this area, would like to ask a question about configuration converting between ASA and Firepower 1120.

I used the migration tool to convert the configuration from ASA 5516-X into FTD with FMC (Firepower 1120), there is an ACL in ASA that I felt confused about the migration result in FTD.

ACL in ASA:

access-list firepower extended permit ip any any
access-list firepower extended deny ip host X.X.X.X host X.X.X.X

class-map firpower_class_map
match access-list firepower

policy-map global_policy

class firpower_class_map
sfr fail-open

Only with this ACL the server can synchronize before. Didn't find related policy in FMC after migration. Anyone knows how to configure this in FMC? Thank you so much!

Neil

 

2 Accepted Solutions

Accepted Solutions

(FPR) FTD dont have SFR that why the acl and SFR config missing 

MHM

View solution in original post

Don't worry about that rule. The traffic processing in the ASA with FirePOWER services is handled in a different way than in FTD. With the ASA with FirePOWER services on we need to allow the ASA to forward the traffic for further inspection (application inspection) by the FirePOWER services. To do so, we have to allow the traffic that should be further inspected, this is why you have that "firepower" access list and "firpower_class_map" class map bind to the global policy map on the ASA. On FTD this is not needed anymore, hence there is no need to migrate that config snippet. Take a look at this link please that explains how the ASA with FirePOWER services on deal with traffic inspection:

Cisco ASA FirePOWER Packet Processing Order of Operations > Introduction to and Design of Cisco ASA with FirePOWER Services | Cisco Press

View solution in original post

5 Replies 5

(FPR) FTD dont have SFR that why the acl and SFR config missing 

MHM

Hi,

Thx a lot! Still wants to know the influence if this policy missing in FTD, should I need to config it and how? Looking forward to your reply.

Best Regards,

Neil

Don't worry about that rule. The traffic processing in the ASA with FirePOWER services is handled in a different way than in FTD. With the ASA with FirePOWER services on we need to allow the ASA to forward the traffic for further inspection (application inspection) by the FirePOWER services. To do so, we have to allow the traffic that should be further inspected, this is why you have that "firepower" access list and "firpower_class_map" class map bind to the global policy map on the ASA. On FTD this is not needed anymore, hence there is no need to migrate that config snippet. Take a look at this link please that explains how the ASA with FirePOWER services on deal with traffic inspection:

Cisco ASA FirePOWER Packet Processing Order of Operations > Introduction to and Design of Cisco ASA with FirePOWER Services | Cisco Press

Hi Aref,

Thank you so much with your reply! I will study the link more.

Best Regards,

Neil

You're very welcome, Neil.

Review Cisco Networking for a $25 gift card