Hello,

I was able to read the below thread and it was very helpful, but it still didn't answer one question for me.

The setup is pretty standard I think. We have an ASA running FirePower Services. We have a DMZ with public facing services. So on the ASA side of things we NAT out DMZ to the internet, so we have access rules on the ASA that are saying things like "permit tcp any 192.168.1.20 eq 5050" as an example. So on the ASA we are allowing TCP port 5050 to that DMZ server.

Now our sfr FirePower forwarder ACL defines the traffic as any to any globally, so all traffic is being forwarded from our ASA to the FirePower service for inspection. I want to change that to just outside interface traffic. Then on the FirePower I want to only allow standard ports out to friendly geolocation networks for our general user browsing.

My question is this, if on the ASA I already have a rule allowing TCP port 5050 to 192.168.1.20 and I change my FirePower to only look at outside interface traffic, do I need to also make a rule on the FirePower to allow TCP port 5050 if my default action is to block? We have a plethora of hosted services on many different ports with specific ACL's allowing only what they need. I want to improve security by only allowing end users to browse the internet on known good ports to me. But I don't want to have to allow all the same ports on the firepower I do on the ASA. To be clear on the FirePower I woudln't be making a rule to specifically deny TCP pot 5050, it would be an implied rules with changing the default action to block, instead of allow and inspect which it is now. I hope this makes sense?

Previous thread I read which had good info, but not this specifically. Their question "if I have a rule to allow a port on the ASA, but later on the FirePower it's set to deny, which rule will win, the ASA or FirePower?"

https://community.cisco.com/t5/network-security/asa-access-rules-and-asa-firepower-access-control-rules/m-p/3773632#M1039639