cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1736
Views
5
Helpful
4
Replies

Question about SFR device bypass

Hello,

 

I have an ASA 5545 with Firepower services, In the ASA we have the Service Policy Rule as show:

From Lan Network to Management Network and viceversa then bypass,

From any to any then send to the SFR device.

 

In this case all the trafic that doesn't match the rule is sent to the module for apply internet acces control rules among others.

My question is:

When will be applied the Access control Rules created in the ASA? before or after the traffic goes to the SFR? or won't be applied?  

For example: Suppose that the ASA allows the access Https from the Outside Network to Server A, but not to server B.

What If I have a rule in the SFR where Https traffic is allowed from the Outside to the server A and B?

Will traffic to the server B allowed?

 

Thank you.

 

Luigi. 

1 Accepted Solution

Accepted Solutions

So in the example above, do you mean that traffic from outside to server B should not be allowed?

That is correct.

Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?

BB will not be allowed if the ASA ingress interface access-list does not allow the traffic.  Again, the access-list on the ingress interface will be checked first, then SFR, followed by the ASA egress interface access-list

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

The ASA access-list will be checked first, then SFR, and then ASA again on the way out.  Same principle applies to the FTD.

--
Please remember to select a correct answer and rate helpful posts

Thank you Marius,

 

So in the example above, do you mean that traffic from outside to server B should not be allowed?


Another example: Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?

 

Thank you

So in the example above, do you mean that traffic from outside to server B should not be allowed?

That is correct.

Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?

BB will not be allowed if the ASA ingress interface access-list does not allow the traffic.  Again, the access-list on the ingress interface will be checked first, then SFR, followed by the ASA egress interface access-list

--
Please remember to select a correct answer and rate helpful posts

Thank you Marius

Review Cisco Networking for a $25 gift card