03-25-2019 10:54 PM
Hi, All
I have ASA 5525 with SFR and firepower, the license expired and I cannot renew it at this time, my question can I skip the policy rules in firepower and allow users to access some websites blocked by the access rule and can I give the management to ASA appliance and control the user access to website by the CLI access list.
Your cooperation is appreciated
Solved! Go to Solution.
03-26-2019 08:15 PM
The Firepower service module evaluates traffic based on its configured ACP and the fact that the ASA redirected traffic to it via the service policy +policy map +class map configuration.
If you just remove the service policy from the ASA configuration it will bypass the module altogether (along with any rules configured on it).
03-26-2019 12:26 AM
Hi,
You can do this with ASA access list disable the rule in ACP and create a acl like below in ASA
for example to block some fqdn
!
object network google.com
fqdn google.com
object network cisco.com
fqdn cisco.com
!
object-group network DOMAIN-BLOCK
network-object object google.com
network-object object cisco.com
!
access-list INSIDE extended deny ip any object-group DOMAIN-BLOCK
!
access-group INSIDE in interface Inside
Hope This Heps
Abheesh
03-26-2019 02:03 AM
Thanks for the reply, but I mean that the firepower rule deny some websites and I can't change the rule because the license expired, I need to bypass the traffic to managed by ASA CLI.
thanks
03-26-2019 10:55 AM
03-26-2019 08:15 PM
The Firepower service module evaluates traffic based on its configured ACP and the fact that the ASA redirected traffic to it via the service policy +policy map +class map configuration.
If you just remove the service policy from the ASA configuration it will bypass the module altogether (along with any rules configured on it).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide