EasyManuals Logo
Home>Cisco>Firewall>ASA 5512-X

Cisco ASA 5512-X Configuration Guide

Cisco ASA 5512-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #121 background imageLoading...
Page #121 background image
7-11
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 ASA FirePOWER Module
Configure the ASA FirePOWER Module
Configure Inline or Inline Tap Monitor-Only Modes
Redirect traffic to the ASA FirePOWER module by creating a service policy that identifies specific
traffic that you want to send. In this mode, ASA policies, such as access rules, are applied to the traffic
before it is redirected to the module.
Before You Begin
• If you have an active service policy redirecting traffic to an IPS or CX module (that you replaced
with ASA FirePOWER), you must remove that policy before you configure the ASA FirePOWER
service policy.
• Be sure to configure consistent policies on the ASA and the ASA FirePOWER. Both policies should
reflect the inline or inline tap mode of the traffic.
• In multiple context mode, perform this procedure within each security context.
Procedure
Step 1 Create an L3/L4 class map to identify the traffic that you want to send to the module.
class-map name
match parameter
Example:
hostname(config)# access-list my-sfr-acl permit ip any 10.1.1.0 255.255.255.0
hostname(config)# access-list my-sfr-acl2 permit ip any 10.2.1.0 255.255.255.0
hostname(config)# class-map my-sfr-class
hostname(config-cmap)# match access-list my-sfr-acl
If you want to send multiple traffic classes to the module, you can create multiple class maps for use in
the security policy. For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps),
page 11-13.
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map {global_policy | name}
Example:
hostname(config)# policy-map inside_policy
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name. To create a new interface-based
policy, specify a new name.
Step 3 Identify the class map you created at the start of this procedure.
class name
Example:
hostname(config-pmap)# class my-sfr-class
Step 4 Send the traffic to the ASA FirePOWER module.
sfr {fail-close | fail-open} [monitor-only]
Where:
• The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is
unavailable.

Table of Contents

Other manuals for Cisco ASA 5512-X

Preview: Quick Start Guide
Quick Start Guide14 pages
Preview: Cli Configuration Guide
Cli Configuration Guide2164 pages
Preview: Hardware Installation Guide
Hardware Installation Guide74 pages
Preview: Software Guide
Software Guide37 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA 5512-X and is the answer not in the manual?

Cisco ASA 5512-X Specifications

General IconGeneral
BrandCisco
ModelASA 5512-X
CategoryFirewall
LanguageEnglish

Related product manuals