View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0166 - ASA FirePower Object and Access Control (Part 2)

Rating: 
5
Average: 5 (4 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video takes you through the heart of Cisco ASA FirePower and FireSight system configuration which is Access Control Policy. We will go through the basic components of Access Control rules including Security Zone, Network Object, Port Object, and Geolocation as well as leveraging user identity obtained from the previous video to build rules based on our requirement scenarios. 
 
Part 2 of this video goes through validation of our Access Control Policy configuration
 
Topic:
  • Access Control Policy, Rules, and Category
  • Objects
    • Security Zone
    • Network, Network Group
    • Port, Port Group
    • Geolocation
  • Connection Logging

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

8 comments

Hi,

Thanks for all videos, I just own a FireSight 750 and it has 2 ethernet Port. I used just one connected on my network.
Please do you know what is the role of the second network card ?

We don't believe the second ethernet port can be used. Definiely check with hardware install guide to confirm.

Hi,

Around 5:17 you modified rule 2 to include a destination in order to access internet. Why would this rule not be triggered prior with the default destination as any?

Thanks,
Josh

The destination LM EXTERNAL SERVER represents the subnet outside the FW and not internet.

Hi team

Q1.
Around 09:12 time-stamp, how does firepower allowed icmp/udp, domain lookup/dns. I thought, it should be blocked from Any.

Q2.
Well, i see that firepower offers ips/ids/url type features. however, how one would differentiate between ASA FW and firepower. What i understand, we seem to achieve access control with firepower so what's the advantage of ASA access control CLI/ASDM? All has to be managed by firepower, i guess including nat,pat etc?

Very good tutorials.
Thanks.
MK

1. Internet bound traffic except HTTP is not being matched by any rules we created hence matched the default which has action of network discovery = allowed

2. Performing filtering at ASA help offloading the FP at an expense of local management. You can pretty much do the same thing on the FP as you mentioned with centralized config. It just comes down to your design decision.

Hello Metha Cheiwanichakorn. I am very thankful for your awesome videos. I am pretty new on Firepower concept. I do not get one thing on Access control. On condition that we filter certain traffic on ASA firewall (local) why do we need to create the same rules on Firepower? Does that makes sense creating all rules (ACL and NAT) on ASA then permit any any on Firepower. In all cases if the traffic is allowed by ASA traffic will be inspected on Firepower.

Short answer is, you don't need to configure ACL at both places. General rule is you configure L3-L4 ACL on ASA and let FP do L7 filtering. This way, FP is no bogged down with unnecessary traffic. If you rather not have not maintain config at both places, just permit-all on ASA and do everything on FP. Also. when this becomes FTD, you access policy would be ready for migration.