cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1804
Views
5
Helpful
3
Replies

Does an ASA allow rule take precedence over a FirePower Deny rule

Travis-Fleming
Level 1
Level 1

Hello,

I was able to read the below thread and it was very helpful, but it still didn't answer one question for me.

 

The setup is pretty standard I think. We have an ASA running FirePower Services. We have a DMZ with public facing services. So on the ASA side of things we NAT out DMZ to the internet, so we have access rules on the ASA that are saying things like "permit tcp any 192.168.1.20 eq 5050" as an example. So on the ASA we are allowing TCP port 5050 to that DMZ server.

 

Now our sfr FirePower forwarder ACL defines the traffic as any to any globally, so all traffic is being forwarded from our ASA to the FirePower service for inspection. I want to change that to just outside interface traffic. Then on the FirePower I want to only allow standard ports out to friendly geolocation networks for our general user browsing.

 

My question is this, if on the ASA I already have a rule allowing TCP port 5050 to 192.168.1.20 and I change my FirePower to only look at outside interface traffic, do I need to also make a rule on the FirePower to allow TCP port 5050 if my default action is to block? We have a plethora of hosted services on many different ports with specific ACL's allowing only what they need. I want to improve security by only allowing end users to browse the internet on known good ports to me. But I don't want to have to allow all the same ports on the firepower I do on the ASA. To be clear on the FirePower I woudln't be making a rule to specifically deny TCP pot 5050, it would be an implied rules with changing the default action to block, instead of allow and inspect which it is now. I hope this makes sense?

 

Previous thread I read which had good info, but not this specifically. Their question "if I have a rule to allow a port on the ASA, but later on the FirePower it's set to deny, which rule will win, the ASA or FirePower?"

https://community.cisco.com/t5/network-security/asa-access-rules-and-asa-firepower-access-control-rules/m-p/3773632#M1039639 

1 Accepted Solution

Accepted Solutions

With a Firepower service module on an ASA we generally keep the ASA ACLs as a "first pass" for security policy. Traffic comes in the interface where an ACL is applied and the ASA code allows or denies it accordingly. If it is allowed, it is later passed to the sfr module for IPS inspection (and possibly URL Filtering and File Policy (AMP)).

I seldom put any standard 5-tuple ACL in the Firepower service module and might even only have a default rule for Balanced Security and Connectivity with IPS policy. The Geoblocking and Security Intelligence categories are the other two most common rules in such a deployment.

Of course that all changes with FTD. (You didn't ask but just noting it for the benefit of other readers.) There I generally put an explicit default rule to Block all Traffic (after having allowed what's necessary).

View solution in original post

3 Replies 3

Travis-Fleming
Level 1
Level 1

I may have found a better way to do this, but I"m still open for ideas. Currently on our ASA on the inside interface we allow any to any less secure network. I would add the ACL there to only allow the ports I want, deny everything else, then keep the FirePower as allow all without a deny.

 

Is that what others are doing?

With a Firepower service module on an ASA we generally keep the ASA ACLs as a "first pass" for security policy. Traffic comes in the interface where an ACL is applied and the ASA code allows or denies it accordingly. If it is allowed, it is later passed to the sfr module for IPS inspection (and possibly URL Filtering and File Policy (AMP)).

I seldom put any standard 5-tuple ACL in the Firepower service module and might even only have a default rule for Balanced Security and Connectivity with IPS policy. The Geoblocking and Security Intelligence categories are the other two most common rules in such a deployment.

Of course that all changes with FTD. (You didn't ask but just noting it for the benefit of other readers.) There I generally put an explicit default rule to Block all Traffic (after having allowed what's necessary).

That's what I was hoping to hear, thanks Marvin.

Review Cisco Networking for a $25 gift card