Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1696
Views
0
Helpful
3
Replies

Turning off SFR on a single interface

Go to solution
Greg Biettler
Level 1
Level 1

‎01-21-2020 09:50 AM

 

Is there a way to turn off SFR on a single interface of an ASA?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎01-21-2020 10:10 AM - edited ‎01-21-2020 10:12 AM

is there a specific reason for that you want to turn off the sfr inspection on the interface? I am not aware if you can do on the interface however there is another way you can do with access-list.

 

 

class-map SFR-CLASS
match access-list SFR
!

policy-map global_policy
class inspection_default

class SFR-CLASS
sfr fail-open!
access-list SFR extended deny 192.168.10.0 255.255.255.0 (let say,this is the interface you want to exempt from inspection)
access-list SFR extended permit ip any any

please do not forget to rate.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Sheraz.Salim
VIP
VIP

‎01-21-2020 10:10 AM - edited ‎01-21-2020 10:12 AM

is there a specific reason for that you want to turn off the sfr inspection on the interface? I am not aware if you can do on the interface however there is another way you can do with access-list.

 

 

class-map SFR-CLASS
match access-list SFR
!

policy-map global_policy
class inspection_default

class SFR-CLASS
sfr fail-open!
access-list SFR extended deny 192.168.10.0 255.255.255.0 (let say,this is the interface you want to exempt from inspection)
access-list SFR extended permit ip any any

please do not forget to rate.
0 Helpful

Go to solution
Greg Biettler
Level 1
Level 1
In response to Sheraz.Salim

‎01-21-2020 10:23 AM

The specific reason that we want to turn off sfr inspection on our Public interface is we're having issues with a VPN tunnel running through that interface.
We currently have issues with a vendor that want's to set up VPN L2L tunnel through our Public outgoing interface. The tunnel comes up & it passes windows traffic (they can get to their window shares) but it doesn't pass port 80 & 443 traffic.
The thought process is too turn the SFR module on our Public interface to see if deep packet inspection is causing this issue.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Greg Biettler

‎01-21-2020 10:46 AM - edited ‎01-21-2020 10:48 AM

oh i see make sense. have to check the logs on the firepower if its blocking the traffic. what are the intrusion policyyou using in your network. ideally you must use as Balanced Security and Connectivity. you can use the access-list as i have mentioned earlier. or the other way is in firepower console ( are you using FMC or ASDM to manage your box) in both case go into access control policy and the address you think are creating problem. create a new acl in fmc/asdm of firepower and put them as Trust. prior to make them trust make sure they are define in discovery policy.

having said that you have two option either do as access-list on the ASA code (as mentioned previous) or do it in Firepower setting (FMC or ASDM Firepower GUI).

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card