Configure Passive Traffic Forwarding - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure the ASA FirePOWER Module
•
•
Example:
hostname(config-pmap-c)# sfr fail-close
If you created multiple class maps for ASA FirePOWER traffic, you can specify another class for the
Step 5
policy and apply the sfr redirect action.
See
of classes matters within a policy map. Traffic cannot match more than one class map for the same action
type.
If you are editing an existing service policy (such as the default global policy called global_policy), you
Step 6
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy policymap_name {global | interface interface_name}
Example:
hostname(config)# service-policy inside_policy interface inside
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Configure Passive Traffic Forwarding
If you want to operate the module in passive monitor-only mode, where the module gets a copy of the
traffic and neither it nor the ASA can affect the network, configure a traffic forwarding interface and
connect the interface to a SPAN port on a switch. For more details, see
Monitor-Only Traffic Forwarding Mode, page
The following guidelines explain the requirements for this deployment mode:
•
•
•
•
•
Procedure
Enter interface configuration mode for the physical interface you want to use for traffic-forwarding.
Step 1
interface physical_interface
Cisco ASA Series Firewall CLI Configuration Guide
7-12
The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is
unavailable.
Specify monitor-only to send a read-only copy of traffic to the module, i.e. inline tap mode. If you
do not include the keyword, the traffic is sent in inline mode. Be sure to configure consistent policies
on the ASA and the ASA FirePOWER. See
page 7-3
for more information.
Feature Matching Within a Service Policy, page 11-5
The ASA must be in single-context and transparent mode.
You can configure up to 4 interfaces as traffic-forwarding interfaces. Other ASA interfaces can be
used as normal.
Traffic-forwarding interfaces must be physical interfaces, not VLANs or BVIs. The physical
interface also cannot have any VLANs associated with it.
Traffic-forwarding interfaces cannot be used for ASA traffic; you cannot name them or configure
them for ASA features, including failover or management-only.
You cannot configure both a traffic-forwarding interface and a service policy for ASA FirePOWER
traffic.
Chapter 7
ASA FirePOWER Inline Tap Monitor-Only Mode,
for detailed information about how the order
ASA FirePOWER Passive
7-4.
ASA FirePOWER Module
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
