cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1927
Views
0
Helpful
3
Replies

Turning off SFR on a single interface

Greg Biettler
Level 1
Level 1

 

Is there a way to turn off SFR on a single interface of an ASA?

 

1 Accepted Solution

Accepted Solutions

Sheraz.Salim
VIP Alumni
VIP Alumni

is there a specific reason for that you want to turn off the sfr inspection on the interface? I am not aware if you can do on the interface however there is another way you can do with access-list.

 

 

class-map SFR-CLASS
match access-list SFR
!

policy-map global_policy
class inspection_default

class SFR-CLASS
sfr fail-open!
access-list SFR extended deny 192.168.10.0 255.255.255.0 (let say,this is the interface you want to exempt from inspection)
access-list SFR extended permit ip any any

please do not forget to rate.

View solution in original post

3 Replies 3

Sheraz.Salim
VIP Alumni
VIP Alumni

is there a specific reason for that you want to turn off the sfr inspection on the interface? I am not aware if you can do on the interface however there is another way you can do with access-list.

 

 

class-map SFR-CLASS
match access-list SFR
!

policy-map global_policy
class inspection_default

class SFR-CLASS
sfr fail-open!
access-list SFR extended deny 192.168.10.0 255.255.255.0 (let say,this is the interface you want to exempt from inspection)
access-list SFR extended permit ip any any

please do not forget to rate.

The specific reason that we want to turn off sfr inspection on our Public interface is we're having issues with a VPN tunnel running through that interface.
We currently have issues with a vendor that want's to set up VPN L2L tunnel through our Public outgoing interface. The tunnel comes up & it passes windows traffic (they can get to their window shares) but it doesn't pass port 80 & 443 traffic.
The thought process is too turn the SFR module on our Public interface to see if deep packet inspection is causing this issue.

oh i see make sense. have to check the logs on the firepower if its blocking the traffic. what are the intrusion policyyou using in your network. ideally you must use as Balanced Security and Connectivity. you can use the access-list as i have mentioned earlier. or the other way is in firepower console ( are you using FMC or ASDM to manage your box) in both case go into access control policy and the address you think are creating problem. create a new acl in fmc/asdm of firepower and put them as Trust. prior to make them trust make sure they are define in discovery policy.

having said that you have two option either do as access-list on the ASA code (as mentioned previous) or do it in Firepower setting (FMC or ASDM Firepower GUI).

 

please do not forget to rate.
Review Cisco Networking for a $25 gift card