Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1678
Views
5
Helpful
4
Replies

Question about SFR device bypass

Go to solution
LuigiDiFronzo9542
Level 1
Level 1

‎12-29-2020 11:16 AM

Hello,

 

I have an ASA 5545 with Firepower services, In the ASA we have the Service Policy Rule as show:

From Lan Network to Management Network and viceversa then bypass,

From any to any then send to the SFR device.

 

In this case all the trafic that doesn't match the rule is sent to the module for apply internet acces control rules among others.

My question is:

When will be applied the Access control Rules created in the ASA? before or after the traffic goes to the SFR? or won't be applied?  

For example: Suppose that the ASA allows the access Https from the Outside Network to Server A, but not to server B.

What If I have a rule in the SFR where Https traffic is allowed from the Outside to the server A and B?

Will traffic to the server B allowed?

 

Thank you.

 

Luigi. 

1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to LuigiDiFronzo9542

‎01-01-2021 01:46 PM

So in the example above, do you mean that traffic from outside to server B should not be allowed?

That is correct.

Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?

BB will not be allowed if the ASA ingress interface access-list does not allow the traffic.  Again, the access-list on the ingress interface will be checked first, then SFR, followed by the ASA egress interface access-list

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎12-29-2020 12:47 PM

The ASA access-list will be checked first, then SFR, and then ASA again on the way out.  Same principle applies to the FTD.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
LuigiDiFronzo9542
Level 1
Level 1
In response to Marius Gunnerud

‎12-30-2020 10:43 AM

Thank you Marius,

 

So in the example above, do you mean that traffic from outside to server B should not be allowed?


Another example: Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?

 

Thank you

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to LuigiDiFronzo9542

‎01-01-2021 01:46 PM

So in the example above, do you mean that traffic from outside to server B should not be allowed?

That is correct.

Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,
will the traffic from server BB to the outside be banned?

BB will not be allowed if the ASA ingress interface access-list does not allow the traffic.  Again, the access-list on the ingress interface will be checked first, then SFR, followed by the ASA egress interface access-list

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
LuigiDiFronzo9542
Level 1
Level 1
In response to Marius Gunnerud

‎01-04-2021 02:08 PM

Thank you Marius

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card