Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2312
Views
5
Helpful
6
Replies

Traffic redirected by ASA to firepower module?

SIMMN
Spotlight
Spotlight

‎10-21-2020 03:17 PM

I have a someone asked this below today...

 

Does following commands on ASA with Firepower make traffic bypass the Firepower inspection?

  • "same-security-traffic intra-interface" for any traffic coming in and going out of the same ASA inside interface.
  • "sysopt connection permit-vpn" for Anyconnect user traffic terminated on the outside interface.

His setup is fairly simple which has "permit ip any any" in class-map/policy-map for firepower redirection. There are two interfaces on ASA: Inside interface with Security level 100 and outside interface with security level 0. No Specific ACL configured on inside interface (just the implicit allow traffic to lower security level interface) and some ACLs configured on the outside interface.

 

I know ASA with "same-security-traffic intra-interface" command would still check traffic with the ACLs but his inside interface does not have any explicitly defined ACLs. So will the "implicit allow" count as ACL/Firewall rule so that traffic would be redirected to firepower before exiting out the same inside interface?

 

Regarding "sysopt connection permit-vpn" feature, ASA would allow decrypted user VPN traffic bypass the ACL on the outside interface. But will the traffic still be redirected to firepower? 

 

I wanted to test these but I do not have ASA with Firepower in lab... Hope someone could clarify.

0 Helpful
6 Replies 6

Aref Alsouqi
VIP
VIP

‎10-21-2020 04:15 PM - edited ‎10-21-2020 04:17 PM

The traffic will still be sent to FirePOWER module for inspection. In case of VPN traffic, the traffic will hit the ASA outside interface, being decrypted, and then sent to the FirePOWER module for inspection. If the traffic is not hitting any security policy to drop it, it will be sent back to the ASA, and then will be sent out the inside interface. Similar would happen for the traffic coming from and exiting the inside interface as well. The command same-security-traffic intra-interface is just to allow the traffic to get in and out of the same interface, but it does imply any security bypass at all. Instead the command sysopt connection permit-vpn is to allow the VPN traffic to bypass the L3/L4 ACLs applied to the ASA interface, but also here, it won't imply any inspection bypass.

Mohammed al Baqari
Level 11
Level 11

‎10-22-2020 12:26 AM

ASA will redirect the traffic to FPR module all the time as long as the ACL
is matched. They are two separate engines and the commands you mentioned
impacts ASA policy evaluation only.

You can confirm this using packet-trace command and you will see that part
of the evaluation process is to go to FPR (for VPN packet-trace, you need
to have the VPN already established).


**** please remember to rate useful posts
0 Helpful

SIMMN
Spotlight
Spotlight
In response to Mohammed al Baqari

‎10-22-2020 04:53 AM - edited ‎10-22-2020 07:14 AM

Thanks, I agree as far as the traffic matches an permit ACL on the inbound traffic path interface, it would be trying to sent the traffic to firepower. But will the default implicit permit on inside interface count as the permit ACL? If so, then the answer for this is clear...  

 

I could try the packet tracer for the user VPN traffic. But my understanding is "sysopt connection permit-vpn" would bypass the ACL on the inbound interface which is outside. According to the flow chart below, only traffic matches the inbound interface permit ACL would  be redirected to firepower...Am I wrong? If decrypted VPN traffic bypasses the outside interface ACL (permit or deny), would it still be redirected to firepower as well?

 

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to SIMMN

‎10-22-2020 05:09 AM

According to the flow chart below, only traffic matches the inbound interface permit ACL would  be redirected to firepower...Am I wrong?

Of course traffic would need to pass the interface level ACL, but after it passes the interface ACL it would still need to match the ACL configured in the policy map for redirection to Firepower. All commands that have so far been mentioned are commands related to interface level access.  Also, sysopt and same-security-level commands are also at interface level so these cannot exempt traffic from being passed to Firepower.

Packet tracer will show if traffic is being redirected to Firepower in the additional comments section of each step.  However, if you want to check traffic  that has entered Firepower you will need to login to the SFR module and run system support firewall-engine-debug and / or system support trace

 

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marius Gunnerud
VIP
VIP

‎10-22-2020 12:48 AM

All the commands you have posted are related to interface level access.  Redirection to the Firepower module is configured under the policy-map.  As long as the policy-map is configured to redirect traffic and the ACL that is configured for that policy-map is being match, then all traffic matching that ACL will be redirected to the Firepower module.

config example:

access-list fpr-redirect extended permit ip any any

class-map Firepower

  match access-list fpr-redirect

policy-map global_policy

  class Firepower

    sfr fail-open

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

SIMMN
Spotlight
Spotlight
In response to Marius Gunnerud

‎10-22-2020 04:54 AM

Only traffic matches input interface permit ACL would be examed against the class-map/policy-map for firepower inspection redirection.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card