I thought I would post my configuration for sending traffic to the CX from the ASA CLI. In talking with TAC there are two schools of thought here; create a deny ACL blocking what you do not want filtered and then put a permit at the end or create a permit ACL with what you want filtered then a deny to prevent all other traffic from being sent to the CX. The latter makes more sense to me so that is the route I go.
First I create an object group with the internal networks. In this example I'll be sending all private address spaces (per RFC1918) to CX.
object-group network RFC1918
description RFC1918 Private IPv4 Address Space
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
Now for the ACL. I'll be sending any traffic that has an RFC1918 source address destined to anywhere on TCP port 80 or 443 to the CX.
access-list ACL-CX-FILTER extended permit tcp object-group RFC1918 any eq www
access-list ACL-CX-FILTER extended permit tcp object-group RFC1918 any eq https
Next we create the Class Map that we will be putting in the Policy Map. We tell the Class Map to look at the ACL we just created.
match access-list ACL-CX-FILTER
Finally we add the Class Map to the Policy Map.
cxsc fail-open auth-proxy
You can also do this in PRSM, but I found that it creates a somewhat-goofy naming scheme so I prefer to do it myself. Hope it helps.
Good day, I have two Firepower 1140 firewalls configured using FMC.I am trying to setup a 1:1 NAT on it and I can't seem to get it working. We have /28 subnet from our ISP that we are using. I created a NAT with the following settings (thi...
Hello Network Security Community, We have a new FPR-1010, without additional feature subscription. What are the options to license it when both Internet access and FMC are not available? We do have a Smart account though. Thanks for ...
Good day, Has anyone done the flexconfig configurations for Dead Peer Detection (DPD) on a FTD 1120 in HA? The design idea is to have multiple sites with different vendor equipment connect to the FTD via IPsec VPN. There are 2 public ...
Hi All, wanted to know if ASA can automatically block an IP I was monitoring the ASA using SNMPv3 on UDP 161 port using a IT monitoringsuddenly i received alerts saying that ASA was unreachable but I was able to access ASDM/SSH