Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1489
Views
0
Helpful
1
Replies

Cisco FIrepower IPS Module cannot reach outside to get critical updates

UtilidataIT
Level 1
Level 1

‎02-25-2015 02:49 PM - edited ‎03-12-2019 05:37 AM

I configured a Cisco Firepower IPS Module / Sourcefire IPS to run in my Cisco ASA 5515x. The IP address of the module is statically configured to be on the same /24 subnet as my My management port Gi0/0, and as well as the VMWare ESXi host running the Firesight Manager Center (both on same subnet).

From the Firepower Module (accessed through cli session on Cisco ASA), I can ping the Gi0/0 Gateway, and all other hosts on my Management VLAN, but I cannot reach outside. Since the IPS Module is essentially built into the Cisco ASA, there is no "source" interface to configure a ACL to allow the module to ping out. 

I even tried: config t --> icmp permit host 172.XX.XX.3 outside (where .3 is my IPS Module running atop the Cisco ASA) just to see if I can get ping to reach outside. I tried to ping 4.2.2.2, no reply.

How do I allow an internally hosted IPS module within the Cisco ASA to be able to reach out to the internet?

Labels:
0 Helpful
1 Reply 1

atatistc
Cisco Employee
Cisco Employee

‎03-01-2015 07:21 PM

Only the Defense Center needs to connect to the Internet for updates.  The SFR module does not connect to the Internet.  The only possible reason is if you are using FireAMP and have dynamic file analysis enabled.  Other than that, there's no reason to allow the SFR module to connect to anything other than the Defense Center (FMC).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card