12-29-2020 11:16 AM
Hello,
I have an ASA 5545 with Firepower services, In the ASA we have the Service Policy Rule as show:
From Lan Network to Management Network and viceversa then bypass,
From any to any then send to the SFR device.
In this case all the trafic that doesn't match the rule is sent to the module for apply internet acces control rules among others.
My question is:
When will be applied the Access control Rules created in the ASA? before or after the traffic goes to the SFR? or won't be applied?
For example: Suppose that the ASA allows the access Https from the Outside Network to Server A, but not to server B.
What If I have a rule in the SFR where Https traffic is allowed from the Outside to the server A and B?
Will traffic to the server B allowed?
Thank you.
Luigi.
Solved! Go to Solution.
01-01-2021 01:46 PM
So in the example above, do you mean that traffic from outside to server B should not be allowed?
That is correct.
Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?
BB will not be allowed if the ASA ingress interface access-list does not allow the traffic. Again, the access-list on the ingress interface will be checked first, then SFR, followed by the ASA egress interface access-list
12-29-2020 12:47 PM
The ASA access-list will be checked first, then SFR, and then ASA again on the way out. Same principle applies to the FTD.
12-30-2020 10:43 AM
Thank you Marius,
So in the example above, do you mean that traffic from outside to server B should not be allowed?
Another example: Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?
Thank you
01-01-2021 01:46 PM
So in the example above, do you mean that traffic from outside to server B should not be allowed?
That is correct.
Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?
BB will not be allowed if the ASA ingress interface access-list does not allow the traffic. Again, the access-list on the ingress interface will be checked first, then SFR, followed by the ASA egress interface access-list
01-04-2021 02:08 PM
Thank you Marius
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide