Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1690
Views
5
Helpful
1
Replies

FirePower Access Policy vs ASA access list

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎09-29-2015 07:24 AM - edited ‎03-11-2019 11:39 PM

I'm looking to see if there are any caveats to consider when deploying a FirePower Access Policy that might conflict with a access list rule in the ASA. For example, if there is an access list rule that permits https traffic to siteA, and an Access Policy that prohibits https to siteA because siteA matches some criterion in a Access Policy (maybe geolocation for example), which rule is used?  Also, given the flexibility of Access Policy, is it ideal then to migrate away from access list rules, or is the idea to maintain 2 autonomous set of rules?

 

thank you, 

Bill

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rishabh Seth
Level 7
Level 7

‎09-29-2015 07:47 AM

Hi William,

The order of Execution is such that First the ASA ACL in inward direction will be executed then the allowed traffic will be evaluated against the redirection policy and will be sent to the SFR module for further inspection.

Once packet is in SFR module then the Access-policy will be evaluated and traffic will either be permitted or dropped based on multiple checks.

The permitted traffic will then leave the ASA. In case you have an ACL on ASA applied on egress interface in outward direction then that will also be evaluated.

At any stage of evaluation traffic can be dropped.

 

Now as far as using ACL on ASA and Access-policy on SFR is concerned, I would say it will totally depend on your network deployment. You can use ACL as first level of filtering and then apply more granular policies using SFR access-policies. 

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

 

 

View solution in original post

1 Reply 1

Go to solution
Rishabh Seth
Level 7
Level 7

‎09-29-2015 07:47 AM

Hi William,

The order of Execution is such that First the ASA ACL in inward direction will be executed then the allowed traffic will be evaluated against the redirection policy and will be sent to the SFR module for further inspection.

Once packet is in SFR module then the Access-policy will be evaluated and traffic will either be permitted or dropped based on multiple checks.

The permitted traffic will then leave the ASA. In case you have an ACL on ASA applied on egress interface in outward direction then that will also be evaluated.

At any stage of evaluation traffic can be dropped.

 

Now as far as using ACL on ASA and Access-policy on SFR is concerned, I would say it will totally depend on your network deployment. You can use ACL as first level of filtering and then apply more granular policies using SFR access-policies. 

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card