cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
505
Views
0
Helpful
2
Replies

Cisco ASA5525-x Firepower

jpdeboer1
Level 1
Level 1

Hi,

We have a customer that bought an asa5525-x with firepower, now this is the first time i need to setup an asa with firepower and i run into a small issue.

ASA is up and running, Firepower managment Server is up and running and connection between the two is working. Traffic is being forwared by the ASA to the firepower module and traffic leave the asa to the internet. However, return traffic is being denied, which should not be the case with a stateful firewall.

but when i make a access-rule on the outside interface permit any any than internet access is working.

Now i think the firepower module is doing something with the packet, or sends some sort of reset. Did any of you guys encounter this issue and knows the solution to it?

Let me know if you have questions.

Thanks in advance!

Br,

JP

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

When a FirePOWER module tells the ASA to reset a given flow, there is an ASA syslog message to that effect. You will normally also see a Block action in the FMC Connection Events.

If that were happening, the ACL would not fix it.

When you say blocked, what syslog message is being generated on the ASA when a given connection is blocked? I assume you are talking about actual tcp connections (with 3-way handshake etc.) and not just icmp packets (ping). I say that because by default an ASA does not inspect icmp flows. That needs to be explicitly added in the default class map so that the echo reply packets are allowed back through the appliance.

Hi Marvin,

Thanks for your reply, not sure what caused this issue, but when i updated all the SW versions to the latest it got resolved.

Yeah it was for ICMP and TCP traffic, All return traffic got denied, and ASA showed the normal deny message. 

Thanks again!

Review Cisco Networking for a $25 gift card