Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1559
Views
5
Helpful
4
Replies

Cisco ASA5506-x Firepower - no traffic

davidfield
Level 3
Level 3

‎01-15-2016 01:21 PM - edited ‎03-12-2019 12:09 AM

Hello All,

I have a new Cisco ASA 5506-x and have installed the Firepower demo license but I can see any traffic passing through the module.  I've followed the config document at http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-139461 and pointed the traffic as the Firepower module but no luck.  I cant see what I'm missing.

I can see the Firepower Tabs so I have Firepower access but no stats.  Its pretty much the default config to pass all at the moment as testing.

My config is below


: Saved

:
: Serial Number: JAD1903KN
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cor
es)
:
ASA Version 9.5(1)
!
hostname Firewall
domain-name channelserve.local
enable password 7T8SlkZdOXJEYhj encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.16.4.1 255.255.255.0
dhcprelay information trusted
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
banner motd *******************************************************************
banner motd THIS SYSTEM ACCESSES PROPRIETARY INFORMATION. ACCESS IS RESTRICTED
banner motd TO AUTHORIZED USERS ONLY FOR LEGITIMATE BUSINESS PURPOSES.
banner motd UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL, CIVIL AND
banner motd CRIMINAL LAWS. ALL ACTIONS ARE BEING RECORDED.
banner motd PLEASE LOG OFF.
banner motd *******************************************************************
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8 outside
domain-name channelserve.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list inside_access_in extended permit ip interface inside object obj_any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list sfr_redirect extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm debugging
logging host inside 172.16.4.10
logging debug-trace
logging permit-hostdown
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.4.0 255.255.255.0 inside
http 172.16.5.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 172.16.4.0 255.255.255.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.4.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcprelay server 172.16.5.1 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password LDGEqfAm3r4QDR0 encrypted privilege 15
!
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class sfr
sfr fail-open
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8c65fa5fe4eeed20e0ba3cc5018a307
: end
Firewall#

Labels:
Preview file
114 KB
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-16-2016 01:06 AM

In "policy-map global_policy" your first class is "inspection_default", which has so many matches I doubt there will be much left for the second class, the SFR one.

Try this variation.  Remove the sfr class from the global policy, and then add:

policy-map pm-sfr
  class sfr
    sfr fail-open
service-policy pm-sfr interface outside

davidfield
Level 3
Level 3
In response to Philip D'Ath

‎01-16-2016 05:05 AM

I forgot to state below that I actually edited the global policy class default and pointed it at Firepower and hence the traffic stats.  Maybe a bit brute force but seemed to get a result for the moment and traffic options to play with.

0 Helpful

davidfield
Level 3
Level 3
In response to Philip D'Ath

‎01-16-2016 05:11 AM

Thanks Philip,

I'm still a bit new to the Firewpower element so not sure what I expect to see.  I believe I may actually be getting traffic passing through to the Firepower module as the Firepower memory has shot up to 80% so I anticipate this is everything hitting the module.

I also logged into the SFR module and ran a show traffic-stats and I get the following which are increasing.  

> show traffic-statistics
-----------------[ Traffic Status ]-----------------
Name : kvm_ivshmem
Transmitted Bytes (TX) : 9577108
Recieved Bytes (RX) : 953301575
Dropped Packets : 0

I anticipate I need to start working through the different Firepower services to understand each component and how to implement.  I have found the attached PDF on CiscoLive which has some good explanation of various services and their functionality. BRKSEC-2028.pdf

Do you have any pointed on where to start?

Regards

David

Preview file
11686 KB
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to davidfield

‎01-16-2016 02:23 PM

It sounds like it is working to me now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card