cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
264
Views
0
Helpful
1
Replies

how do i duplicate the traffic from asa5506-x to the firepower module?

kelvin.lui11
Level 1
Level 1

Hi all,

I created a service policy rules and enabled the ASA FirePOWER inspection,but i can't see any traffic in the firepower module.How do i duplicate the traffic from asa5506-x to the firepower module?Plus, how do i monitor the traffic in firepower? Here is my config as below .Thank you.

1 Reply 1

kelvin.lui11
Level 1
Level 1

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.90 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
nameif inside2
security-level 0
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif Manage
security-level 0
no ip address
!
ftp mode passive
clock timezone HKST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 10.10.1.0 255.255.255.0
object network abcd
subnet 10.10.1.0 255.255.255.0
object network qwert
subnet 192.168.1.0 255.255.255.0
object network source
range 10.10.1.2 10.10.1.100
object network aaaa
range 192.168.1.91 192.168.1.254
object network jjjjj
host 192.168.1.90
object network TestNet1
subnet 3.3.3.0 255.255.255.0
object network bbbb
range 192.168.1.1 192.168.1.89
object-group network d
network-object object aaaa
object-group network abcde
network-object object abcd
object-group network qwer
network-object object qwert
object-group network sourceaddress
network-object object source
object-group network s
network-object 10.10.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object icmp6
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp destination eq www
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp-udp destination eq echo
service-object tcp-udp destination eq www
service-object tcp destination eq echo
service-object tcp destination eq www
service-object icmp echo
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp
service-object icmp echo
service-object tcp-udp destination eq www
service-object tcp destination eq echo
service-object tcp destination eq https
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object icmp echo
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp
service-object icmp echo
service-object tcp-udp destination eq www
object-group network DM_INLINE_NETWORK_1
network-object object aaaa
network-object object jjjjj
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any any
access-list allow_ping_outside extended permit object-group DM_INLINE_SERVICE_4 any interface outside
access-list allow_ping extended permit object-group DM_INLINE_SERVICE_5 any any
access-list sfr-direct extended permit ip any any
access-list sfr_redirect extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu Manage 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit 192.168.1.0 255.255.255.0 outside
icmp permit 10.10.1.0 255.255.255.0 outside
icmp permit any inside
icmp permit 10.10.1.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic obj_any interface dns
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
!
route-map abc permit 1
match ip address global_access
match ip next-hop global_access

!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy

telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map global-class
match default-inspection-traffic
class-map inside-class
match default-inspection-traffic
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match any
class-map firepower_class_map
class-map outside-class
match default-inspection-traffic
class-map inspection_default_class_map
class-map global-class1
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
user-statistics accounting
class global-class1
sfr fail-open monitor-only
user-statistics accounting
policy-map pm-sfr
class sfr
sfr fail-open
policy-map outside-policy
class outside-class
inspect icmp
inspect icmp error
policy-map global-policy
class global-class
inspect icmp
policy-map inside-policy
class inside-class
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:91973a1020f281b128749f37b28d0e82
: end

Review Cisco Networking for a $25 gift card