https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4507386#M1085328 <P>Please provide more information on how your network is physically and logically setup (are you using portchannels, subinterfaces, what VLANs correspond to what interface, etc.)</P> <P>And please check the following:</P> <P>1. Make sure there are no outstanding deployments in the FMC</P> <P>2. Make sure you have a Dynamic NAT configured from both Inside and DMZ interfaces towards the Outside interface</P> <P>3. Make sure that logging is enabled for the ACP rules, and if / when it is enabled check Analysis &gt; Connection Events to see if traffic is being blocked</P> <P>4. If all the above looks fine, log into the FTD CLI and ping your ISP IP (default route IP), if that is successful, ping 8.8.8.8</P> <P>5. If all these tests are successful go to the FTD CLI (at the &gt; prompt) and issue the command <STRONG>system support trace</STRONG></P> <P>&nbsp; &nbsp; &nbsp; &nbsp; Make sure to enable <STRONG>system support firewall-engine-debug</STRONG> when asked.</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; Enter the source IP of a test PC you will use to generate traffic to the internet</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; Enter the destination IP you are testing towards</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; *** for all other fields just press enter ***</P> <P>The last step should show if traffic is being dropped by either Snort or a firewall rule, if the traffic is reaching the firewall.</P> Tue, 23 Nov 2021 20:46:00 GMT Marius Gunnerud 2021-11-23T20:46:00Z https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4506296#M1085277 <DIV>Hello,&nbsp;</DIV><DIV>I'm deploying an FTD v6.6.5 created as native device in a Firepower 4110 appliance as replacement for an ASA5585 with Firepower Services, I have already added the FTD to the FMCv (v6.6.5) and migrated the ASA configuration using the Cisco Migration tool. I verified that all the interfaces were mapped and all licenses are in compliance. I had the ASA5585 up and running in the same FMCv but after the cutover I was unable to get internet traffic through the FTD. I confirmed that the interfaces (Inside, Outside and DMZ) were up and cleared the ARP tables on the switch where the Inside and DMZ interfaces are connected.</DIV><DIV>I don't know if I'm missing&nbsp;something after the migration, the report shows that all settings were migrated successfully, Ionly needed to configure the remote VPN manually</DIV> Sun, 21 Nov 2021 19:39:49 GMT https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4506296#M1085277 jesus.valero 2021-11-21T19:39:49Z https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4506298#M1085278 Hello, we had the same issue when migrated from 5585's to 2130's.<BR />We began creating a rule in the 2130 to allow all traffic regardless of<BR />rules.<BR />We didn't enable this rule right away.<BR />We did a deploy of the original rule set and everything began working.<BR />We never had to use the test rule.<BR /><BR />I found this odd and still do.<BR />Whenever we do an upgrade of the OS we have to make sure that all<BR />deployments are done.<BR />After the upgrade we have to another deployment of rules for everything to<BR />take effect.<BR /> Sun, 21 Nov 2021 20:25:02 GMT https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4506298#M1085278 Eric R. Jones 2021-11-21T20:25:02Z https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4507365#M1085327 <P class="">NAT is proper configured? Static default route or dynamic route is in place?</P><P class="">Ping to ISP works? Ping outside internet to 8.8.8.8 works?</P><P class="">Like stated before did you check if ACP might be blocking the traffic? Maybe it did not migrate all ACP as expected.</P> Tue, 23 Nov 2021 20:01:13 GMT https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4507365#M1085327 BmfL 2021-11-23T20:01:13Z https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4507386#M1085328 <P>Please provide more information on how your network is physically and logically setup (are you using portchannels, subinterfaces, what VLANs correspond to what interface, etc.)</P> <P>And please check the following:</P> <P>1. Make sure there are no outstanding deployments in the FMC</P> <P>2. Make sure you have a Dynamic NAT configured from both Inside and DMZ interfaces towards the Outside interface</P> <P>3. Make sure that logging is enabled for the ACP rules, and if / when it is enabled check Analysis &gt; Connection Events to see if traffic is being blocked</P> <P>4. If all the above looks fine, log into the FTD CLI and ping your ISP IP (default route IP), if that is successful, ping 8.8.8.8</P> <P>5. If all these tests are successful go to the FTD CLI (at the &gt; prompt) and issue the command <STRONG>system support trace</STRONG></P> <P>&nbsp; &nbsp; &nbsp; &nbsp; Make sure to enable <STRONG>system support firewall-engine-debug</STRONG> when asked.</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; Enter the source IP of a test PC you will use to generate traffic to the internet</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; Enter the destination IP you are testing towards</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; *** for all other fields just press enter ***</P> <P>The last step should show if traffic is being dropped by either Snort or a firewall rule, if the traffic is reaching the firewall.</P> Tue, 23 Nov 2021 20:46:00 GMT https://community.cisco.com/t5/network-security/ftd-deployment-issue-unable-to-get-internet-traffic-through/m-p/4507386#M1085328 Marius Gunnerud 2021-11-23T20:46:00Z