Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1387
Views
0
Helpful
3
Replies

Firepower FMC Accessible from VLAN it shouldn't be

Go to solution
James Seddon
Level 1
Level 1

‎05-01-2019 08:26 AM - edited ‎02-21-2020 09:05 AM

To simplify this as much as possible I have the following problem.

 

I have an FMC which can be accessed from a VLAN at a remote site (1 hop away), this VLAN has a Firepower Access Control Policy applied allowing a very specific set of applications, protocols, ports to a set of servers and then a Geographic rule set to allow internet traffic to trusted sources.

 

Everything seems to be in order, network scans show that devices in this VLAN can only access the resources I expect on the protocols I expect. However, devices on this VLAN are also able to reach my FMC web interface.

 

I have been through the rules multiple times and confirmed there is nothing present that would allow this network to reach the IP of the FMC. It's worth noting a few details:

 

  •  We are using Firepower on Cisco ASA 5525X
  • All access controls for this VLAN are specified within Firepower, the ASA has an "Allow Any Any" on the interface (for now, still in testing)
  • The FMC is located at a remote site connected via L2 (dark fibre), this site reaches the local site via static route to the local ASA (remote site runs also runs Firepower with ASA5525X) and vice versa. So nothing special there.

 

Has anyone come across this before with Firepower?

 

I can add a rule in the block the FMC traffic but this seems like a band-aid fix for something which shouldn't be happening. I can post some network diagrams if needed but can't post any configs as this it's a production network.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-01-2019 07:44 PM

Does your redirect ACL on the ASA include the affected traffic for inspection?

Have you checked the prefilter policy in the FMC to make sure you haven't bypassed Firepower inspection for this flow?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
GRANT3779
Spotlight
Spotlight

‎05-01-2019 01:43 PM

Have you checked the connection events with FMC when accessing the gui from this vlan? You can then filter these ips and it will show you which rule it is hitting.
Do you have a default action for your ACP?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-01-2019 07:44 PM

Does your redirect ACL on the ASA include the affected traffic for inspection?

Have you checked the prefilter policy in the FMC to make sure you haven't bypassed Firepower inspection for this flow?

0 Helpful

Go to solution
James Seddon
Level 1
Level 1
In response to Marvin Rhoads

‎05-02-2019 08:31 AM - edited ‎05-02-2019 08:36 AM

Found the issue, I had excluded all FMC traffic from the ACL defining what traffic to send to Firepower due to it flagging its own traffic. Just removed the rule and everything is working as expected.

 

Thanks both and enjoy the weekend :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card