cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15629
Views
65
Helpful
56
Replies

Security Global Forum for ASA and FTD Topics - AMA

ciscomoderator
Community Manager
Community Manager

banner_AMAGL_en_lp2_900x150_12jan_2021.png

Español  Português Français Русский  日本語 简体中文

This event is a chance to discuss about Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) regarding products, management, installation, configuration, implementation, use, and integration with other devices within your network. Learn the best practices to make the most of the advanced firewall settings, as well as the best practices to troubleshoot its common issues. This forum event works well as an introduction for those who are not familiar with the security tools and have recently started using them.

To participate in this event, please use the reply-button.png button below to ask your questions

Ask questions from Tuesday, January 12 to Friday, January 22, 2021

Featured experts
Photo_bguerram_100x140.pngBerenice Guerra Martinez is a Technical Consulting Engineer at the Cisco Global Technical Assistance Center (TAC) for Security - Next Generation Firewall (NGFW). She specializes in Threat Detection, ASA and Firepower configuration and best practices, and Firepower integrations. Berenice has a bachelor’s degree in electronic engineering with a cybersecurity specialization and is a Telecommunications Technician. She holds three different Cisco certifications: CCNA R&S, CyberOps Associate, and DevNet Associate.

Photo_namiagar_100x140.pngNamit Agarwal is a Technical Marketing Engineer in the Security Business Group. He is based out of Toronto, Canada. He partners closely with our platform product management team and leads critical technical enablement engagements. He joined Cisco in 2009 and has held multiple positions, most recently working as a Technical Leader with the Security CX team in Bangalore, India. In that role, he worked on escalations, led serviceability initiatives for product improvement, and drove engagements with the NGFW sales teams. He is a CCIE n°33795 Security and has experience with multiple Cisco Security solutions such as Cisco Firewalls, IPS, VPN, and Cloud Security.

Photo_igasimov_100x140.pngIlkin Gasimov is a Technical Consulting Engineer in the Cisco Global TAC for Security - NGFW. He joined the TAC team in 2017 and since then has mainly been focused on supporting Cisco NGFW platforms and on the collaboration with the Cisco Business Unit to contribute to the NGFW product quality improvement. He has also delivered troubleshooting sessions to the partners and customers. Before joining Cisco, he had hands-on experience with the Cisco ASA firewalls in enterprise and mobile networking environments. He holds a CCIE n°54979 Security certification since 2016.

Photo_ricargut_100x140.png
Ricardo Diez Gutierrez Gonzalez is a Technical Consulting Engineer at the Cisco HTTS TAC for Security – NGFW – ASA – VPN. He joined Cisco six years ago. He belonged to the incubator program for six months achieving his CCNA and then he became a full-time engineer. Later he obtained his Specialist NGFW and CCNP security certifications.  He is currently studying for the CCIE exam.
 

For more information, visit the Security Discussions category.
Find further events on Security Events list.

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?  
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
56 Replies 56

Hello Namit,

I really appreciate your reply. Got it. I have enabled the option you mentioned and then I was able to add my local user in an Access Control Policy  

Screen Shot 2021-01-27 at 23.18.10.png

Screen Shot 2021-01-27 at 23.20.35.png

Please correct me if I am wrong. In order Access Control Policy for local users takes place, I disabled the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" in the Remote Access VPN configuration, and it worked.

Screen Shot 2021-01-27 at 23.25.15.png
But when I disabled this option, it removed the "sysopt permit-vpn" from the global config , so it impacted my VPNs site to site, that I have, as well, in the device. Is this an expected behavior?

I will really appreciate your help, again

Hi. You are right that is a global setting which is applicable for all types of VPN connections ( Site to Site and Remote Access VPN ). It is the same behaviour as ASA where enabling/disabling that command had impact on Remote Access and Site to Site VPN connections. I understand that this can be confusing as it is available as a setting in the Remote Access VPN Wizard. I have made a note of this and will work internally to get some improved messaging around it. 

 

Thanks,

Namit 

Community Moderator
Community Manager
Community Manager

In FTD the 'show capture cap_inside packet-number 4 trace' for packet #4 contains the following output:

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 1254, using existing flow

Phase: 4
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Verdict: (fast-forward) fast forward this flow

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
Action: allow


What does the 'fast-forward' verdict mean and how this packet is handled in FTD?

 

Note: This question is a translation of a post originally created in Russian by alsokolov. It has been translated by Cisco Community to share the inquiry and its solution in different languages.

 

The 'fast-forward' verdict means that the packet(s) are NOT sent to the Snort engine and are inspected by the LINA engine only.

Reference:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#anc19

If a connection is allowed by the security policy, which operations and/or features affect the determination of the egress interface for a connection in routed interface mode? If possible, sort them in the order of preference.

Jackson

 

Based on the following operations and/or features the ASA/FTD identifies the egress interface of a connection in routed interface mode:
Existing connection lookup, NAT lookup (destination NAT or UN-NAT), Policy-based routing (PBR), Global routing table lookup.
The correct order is also as shown above.

Cisco Moderador
Community Manager
Community Manager

Hi, 

I have a question: in FTD the 'show capture cap_inside packet-number 1 trace' for packet #1 contains the following partial output:

Phase: 1
Type: NGIPS-MODE
Subtype: ngips-mode
Result: ALLOW
Config:
Additional Information:
The flow ingressed an interface configured for NGIPS mode and NGIPS services will be applied


Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip object 192.0.2.0 object 198.51.100.0 rule-id 268438531 event-log flow-end
...

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow

What verdict will the Snort engine give for this packet?

 

Note: This question is a translation of a post originally created in Spanish by Fernando Mondragón. It has been translated by Cisco Community to share the inquiry and its solution in different languages.

 

None, since the access control rule has the 'trust' keyword that indicates a prefiltered policy configuration. This packet will NOT be sent to the Snort engine.
Reference:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#anc23

rrodriguezr
Level 1
Level 1

Hi Cisco Team

 

I have a situation that needs your assitance.

When creating a user for RAVPN in ASA and locking to a certain connection profile, you need to enter the commands like this:

username BATMAN password R0b!N
username BATMAN attributes
 group-lock value BATCAVE

However, on FDM, we have not been able to find a place where we can manipulate the user attributes in the same fashion or a way to limit the Aliases that appear in a per user basis.

Do you have any ideas or solutions to have this accomplished?

 

Thanks

Hi, 


As you discovered, currently it is not supported with FDM. There are certain settings that are available through Flex Config CLI. Again, these requirements are sort of based on Local Authentication. Are you using Local authentication for your VPN deployment ?

 

PS: Excellent choice of username and password  

 

Thanks,

Namit

Nono82
Level 1
Level 1

Hi,

In FTD the connection table has the following established connection entry:

firepower# show conn
TCP inside  192.0.2.1:50088 outside 198.51.100.1:443, idle 0:00:00, bytes 5274, flags UIOoN1

If  packet captures for this specific connection is configured in Lina and Snort engines  and the connection is not idle, which of these captures will have non-zero bytes?

Thank you

Noemi

Ilkin
Cisco Employee
Cisco Employee

 

Hi Noemi,

The answer is none, because the connection was offloaded to the hardware, which means the packets will not be reaching the Lina/Snort engines.
The offload status is indicated by the "o" flag in the output above.

Ilkin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: