cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10618
Views
5
Helpful
21
Replies

how do i see firepower traffic in firesight?

kelvin.lui11
Level 1
Level 1

Hi all,

After i set the traffic through the module and added the firepower device to the defense center . In analysis > context explorer , it shows me that no data.Can i see the traffic in the defense center?

Thank you

1 Accepted Solution

Accepted Solutions

Hi ,

I can see that you have multiple class maps for SFR binded to policy map which is a wrong practice and also in show service-polciy sfr , i dont see any traffic being redirected.

Remove all the class-maps under policy-maps for SFR . Just create 1 class-map like below :

Access-list SFR extended permit SFR permit ip any any

class-map SFR

match access-list SFR

policy global-policy

class SFR

sfr fail-open

Refer : http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html

Regards,

Aastha Bhardwaj

Rate if that helps!!!

View solution in original post

21 Replies 21

kelvin.lui11
Level 1
Level 1

Hi,

Try changing the time on right hand top corner from 1 hr to last 1 week or so and see if that works.

Also check under access control policy do you see any logging enabled ?

Do you see connections under Analysis >Connections ?

Regards,

Aastha Bhardwaj

Rate if that helps!!!

No changes in context explorer.

I had enabled the logging .

Plus why my firepower configuration button missing in asdm after i added the device to the defense center?

Thanks

HI ,

You can  only manage the device either by ASDM or Defense center , not both so that is expected. Do you see connection events under analysis >connections.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

hi ,

I can see there is 1 a connection.

But i was wondering how to copy the traffic to the firepower module?

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.90 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
nameif inside2
security-level 0
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif Manage
security-level 0
no ip address
!
ftp mode passive
clock timezone HKST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 10.10.1.0 255.255.255.0
object network abcd
subnet 10.10.1.0 255.255.255.0
object network qwert
subnet 192.168.1.0 255.255.255.0
object network source
range 10.10.1.2 10.10.1.100
object network aaaa
range 192.168.1.91 192.168.1.254
object network jjjjj
host 192.168.1.90
object network TestNet1
subnet 3.3.3.0 255.255.255.0
object network bbbb
range 192.168.1.1 192.168.1.89
object-group network d
network-object object aaaa
object-group network abcde
network-object object abcd
object-group network qwer
network-object object qwert
object-group network sourceaddress
network-object object source
object-group network s
network-object 10.10.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object icmp6
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp destination eq www
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp-udp destination eq echo
service-object tcp-udp destination eq www
service-object tcp destination eq echo
service-object tcp destination eq www
service-object icmp echo
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp
service-object icmp echo
service-object tcp-udp destination eq www
service-object tcp destination eq echo
service-object tcp destination eq https
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object icmp echo
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp
service-object icmp echo
service-object tcp-udp destination eq www
object-group network DM_INLINE_NETWORK_1
network-object object aaaa
network-object object jjjjj
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object tcp-udp destination eq www
service-object tcp destination eq https
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any any
access-list allow_ping_outside extended permit object-group DM_INLINE_SERVICE_4 any interface outside
access-list allow_ping extended permit object-group DM_INLINE_SERVICE_5 any any
access-list ASASFR extended permit tcp any any eq www
access-list sfr-direct extended permit ip any any
access-list sfr_redirect extended permit ip any any
access-list firepower extended permit object-group DM_INLINE_SERVICE_6 any any
access-list SFR extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu Manage 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit 192.168.1.0 255.255.255.0 outside
icmp permit 10.10.1.0 255.255.255.0 outside
icmp permit any inside
icmp permit 10.10.1.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic obj_any interface dns
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
!
route-map abc permit 1
match ip address global_access
match ip next-hop global_access

!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure

telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map SFR
match access-list SFR
class-map global-class
match default-inspection-traffic
class-map my-sfr-class
match access-list ASASFR
class-map inside-class
match default-inspection-traffic
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
class-map firepower_class_map
match access-list firepower
class-map outside-class
match default-inspection-traffic
class-map inspection_default_class_map
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class SFR
sfr fail-open
class firepower_class_map
sfr fail-open
class inspection_default
inspect dns
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ip-options
inspect netbios
inspect tftp
policy-map pm-sfr
class sfr
sfr fail-open
policy-map outside-policy
class outside-class
inspect icmp
inspect icmp error
policy-map global-policy
class global-class
inspect icmp
policy-map inside-policy
class inside-class
inspect icmp
inspect icmp error
policy-map my-sfr-policy
class my-sfr-class
sfr fail-close
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:4cfe287fc9e033d86dbbe6d627f048cf
: end

Here is my config of my asa firewall 5506-x 

but the traffic is not normal

when i ssh to the firepower module it shows me this

The transmitted bytes is same as the recieved bytes... is it normal?

Hi,

Could you check if the below command shows counter incrementing which will indicate that module is getting the traffic:

#show service-policy sfr

also, while running show conn on ASA do you see the X flag showing that traffic is inspected by sfr .

rate if it helps.

Thanks,

Ankita

here are my show service-policy sfr and show conn as above

Please help.

Thank you 

Hi ,

I can see that you have multiple class maps for SFR binded to policy map which is a wrong practice and also in show service-polciy sfr , i dont see any traffic being redirected.

Remove all the class-maps under policy-maps for SFR . Just create 1 class-map like below :

Access-list SFR extended permit SFR permit ip any any

class-map SFR

match access-list SFR

policy global-policy

class SFR

sfr fail-open

Refer : http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html

Regards,

Aastha Bhardwaj

Rate if that helps!!!

hi aastha,

Do you mean i should remove those command?

class-map global-class
match default-inspection-traffic
class-map my-sfr-class
match access-list ASASFR
class-map inside-class
match default-inspection-traffic
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
class-map firepower_class_map
match access-list firepower
class-map outside-class
match default-inspection-traffic
class-map inspection_default_class_map

policy-map outside-policy
class outside-class
inspect icmp
inspect icmp error
policy-map global-policy
class global-class
inspect icmp
policy-map inside-policy
class inside-class
inspect icmp
inspect icmp error
policy-map my-sfr-policy
class my-sfr-class
sfr fail-close

Thank you

Hi,

The traffic redirection doesn't seem to be working which is why you are not able to see traffic on the management centre.

try to configure only one class map and bind it to a service policy and then check if the traffic shows up.

Rate if it helps.

Thanks

Ankita

Review Cisco Networking for a $25 gift card