05-01-2019 08:26 AM - edited 02-21-2020 09:05 AM
To simplify this as much as possible I have the following problem.
I have an FMC which can be accessed from a VLAN at a remote site (1 hop away), this VLAN has a Firepower Access Control Policy applied allowing a very specific set of applications, protocols, ports to a set of servers and then a Geographic rule set to allow internet traffic to trusted sources.
Everything seems to be in order, network scans show that devices in this VLAN can only access the resources I expect on the protocols I expect. However, devices on this VLAN are also able to reach my FMC web interface.
I have been through the rules multiple times and confirmed there is nothing present that would allow this network to reach the IP of the FMC. It's worth noting a few details:
Has anyone come across this before with Firepower?
I can add a rule in the block the FMC traffic but this seems like a band-aid fix for something which shouldn't be happening. I can post some network diagrams if needed but can't post any configs as this it's a production network.
Solved! Go to Solution.
05-01-2019 07:44 PM
Does your redirect ACL on the ASA include the affected traffic for inspection?
Have you checked the prefilter policy in the FMC to make sure you haven't bypassed Firepower inspection for this flow?
05-01-2019 01:43 PM
05-01-2019 07:44 PM
Does your redirect ACL on the ASA include the affected traffic for inspection?
Have you checked the prefilter policy in the FMC to make sure you haven't bypassed Firepower inspection for this flow?
05-02-2019 08:31 AM - edited 05-02-2019 08:36 AM
Found the issue, I had excluded all FMC traffic from the ACL defining what traffic to send to Firepower due to it flagging its own traffic. Just removed the rule and everything is working as expected.
Thanks both and enjoy the weekend :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide