Below is the normal traffic flow in a Cisco
ASA Firewall with FirePOWER module.
You can check the ASA Access Rules under Configuration > Firewall > Access Rules (click the box/or maximize icon). There's an implicit permit rule for traffic from the inside and wifi going out to the Internet (outside). You'll need to permit traffic from inside to outside and redirect it to the FirePOWER module in order to apply Next-Generation firewall services such as IPS, URL filter and Advanced Malware Protection (AMP).
Below is the inspection flow for the FirePOWER Access Control Rules
Click on ASA FirePOWER to check the Access Control Policy for the FirePOWER module. Notice there are no rules created yet and the Default Action is set to Access Control: Trust All Traffic
To redirect traffic to the FirePOWER module, go to Configuration > Firewall > Service Policy Rules. There's a global_policy and inspection_default configured by default. Click on the inspection_default and click Delete (trash) icon.
Click Add (down arrow) > Add Service Policy Rule
Leave the default settings in Step 1 and click Next.
Choose Use class-default as the traffic class > click Next.
Click Apply and ASDM will display an error. Just click Close.
You'll need to prepare several objects (alias) to be used for FirePOWER Access Control Policy Rules. First, create the logical Security Zones under Configuration > ASA FirePOWER Configuration > Object Management > Security Zones > Add Security Zone
Choose ASA (which is the only optional available) under Type in order to load the Available Interfaces. In my case I got interfaces on the outside, several inside and wifi.
Type a Name (INSIDE-WIRED) > select the interface(s) > Add > Store ASA FirePOWER changes.
I encountered an issue wherein there were no hits on the FirePOWER access rules. You'll need to add all the inside interface except the interface going to FirePOWER (inside-1). This is the direct cable between the ASA 5506W-X G1/2 and MGT1/1 interface.
Click the arrow on the Security Zone Object (INSIDE-WIRED) to expand and show its associated interfaces.
Configured the same for the wifi and outside interfaces.
You then create a Network Group Object to tie together the individual network objects create earlier under Configuration > ASA FirePOWER Configuration > Object Management > Object Groups > Add Network Group.
Type a Name for the Network Group Object > select the individual Network Objects on the left > click Add to move under Selected Networks on the right > Store ASA FirePOWER changes.
You can check the ASA Access Rules under Configuration > Firewall > Access Rules (click the box/or maximize icon). There's an implicit permit rule for traffic from the inside and wifi going out to the Internet (outside). You'll need to permit traffic from inside to outside and redirect it to the FirePOWER module in order to apply Next-Generation firewall services such as IPS, URL filter and Advanced Malware Protection (AMP).
Below is the inspection flow for the FirePOWER Access Control Rules
Click on ASA FirePOWER to check the Access Control Policy for the FirePOWER module. Notice there are no rules created yet and the Default Action is set to Access Control: Trust All Traffic
To redirect traffic to the FirePOWER module, go to Configuration > Firewall > Service Policy Rules. There's a global_policy and inspection_default configured by default. Click on the inspection_default and click Delete (trash) icon.
Click Add (down arrow) > Add Service Policy Rule
Leave the default settings in Step 1 and click Next.
Choose Use class-default as the traffic class > click Next.
Go to ASA
FirePOWER Inspection tab > tick Enable ASA FirePOWER for this traffic flow
> leave the default Permit traffic > click Finish.
This will
allow traffic to flow normally even though the FirePOWER module has failed.
Click Apply and ASDM will display an error. Just click Close.
Below is the configuration for the traffic redirection on the FirePOWER module. I
also generated some web traffic from a machine residing on the inside interface.
ASA5506W-X#
show run policy-map
!
policy-map
type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map
global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect icmp error
policy-map global-policy
class
class-default
sfr
fail-open
policy-map
type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map
type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
ASA5506W-X#
show service-policy
Global
policy:
Service-policy: global-policy
Class-map: class-default
Default Queueing SFR: card status Up, mode fail-open
packet
input 5636, packet output 5636, drop 0, reset-drop 0
You'll need to prepare several objects (alias) to be used for FirePOWER Access Control Policy Rules. First, create the logical Security Zones under Configuration > ASA FirePOWER Configuration > Object Management > Security Zones > Add Security Zone
Choose ASA (which is the only optional available) under Type in order to load the Available Interfaces. In my case I got interfaces on the outside, several inside and wifi.
Type a Name (INSIDE-WIRED) > select the interface(s) > Add > Store ASA FirePOWER changes.
I encountered an issue wherein there were no hits on the FirePOWER access rules. You'll need to add all the inside interface except the interface going to FirePOWER (inside-1). This is the direct cable between the ASA 5506W-X G1/2 and MGT1/1 interface.
Click the arrow on the Security Zone Object (INSIDE-WIRED) to expand and show its associated interfaces.
Configured the same for the wifi and outside interfaces.
Click the arrow to expand the Security Zone
Object and show its associated interfaces.
Next, create
individual network objects under Configuration > ASA FirePOWER Configuration
> Object Management Network >
Individual Objects.
By
default the Network Object for the RFC 1918 Private Networks is configured.
Click Add
Network > Type a Name for the Network Object > type the Network (CIDR
notation) > click Add > Store ASA FirePOWER Changes.
In this
case I added the inside wired
(192.168.1.0/24) and wifi (192.168.10.0/24) networks.
You then create a Network Group Object to tie together the individual network objects create earlier under Configuration > ASA FirePOWER Configuration > Object Management > Object Groups > Add Network Group.
Type a Name for the Network Group Object > select the individual Network Objects on the left > click Add to move under Selected Networks on the right > Store ASA FirePOWER changes.
No comments:
Post a Comment