https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559833#M1087696 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/133745">@cm</a> that ping is from the FTD itself, so it doesn't need to nat. It will route the traffic from the outside interface.</P> Fri, 25 Feb 2022 17:58:17 GMT Rob Ingram 2022-02-25T17:58:17Z https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559783#M1087692 <P>Hi all</P><P>&nbsp;</P><P>I m having strange issues with my FTD. I am managing it from FDM as I don't have FMC. I am Seeing strange behavior. I have deleted all the rules NAT and ACP . But my Clients Still getting internet.&nbsp;</P><P>&nbsp;</P><P>This is what I get from the command line. There seem to be some in Built statements in the system seen from show nat...Auto NAT... Further do i need to upgrade hardware from the current version below</P><P>&nbsp;</P><P>&gt;<BR />&gt;<BR />&gt; show nat</P><P>Auto NAT Policies (Section 2)<BR />1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https<BR />translate_hits = 0, untranslate_hits = 0<BR />2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface<BR />translate_hits = 0, untranslate_hits = 0<BR />3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface<BR />translate_hits = 0, untranslate_hits = 0<BR />4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface<BR />translate_hits = 0, untranslate_hits = 0<BR />5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6<BR />translate_hits = 0, untranslate_hits = 0<BR />6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6<BR />translate_hits = 0, untranslate_hits = 0<BR />7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6<BR />translate_hits = 0, untranslate_hits = 0<BR />&gt;<BR />&gt;<BR />&gt;<BR />&gt;<BR />&gt;<BR />&gt; show xlate<BR />2 in use, 3 most used<BR />Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,<BR />s - static, T - twice, N - net-to-net<BR />TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443<BR />flags sr idle 1:55:58 timeout 0:00:00</P><P>&gt;<BR />&gt;<BR />&gt; show version<BR />-------------------[ firepower ]--------------------<BR />Model : Cisco Firepower 2130 Threat Defense (77) Version 6.2.3 (Build 83)<BR />UUID : 9cf20e9c-37d7-11ec-8011-db2581d87e9c<BR />Rules update version : 2017-09-13-001-vrt<BR />VDB version : 290<BR />----------------------------------------------------</P><P>&gt;</P> Fri, 25 Feb 2022 16:49:51 GMT https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559783#M1087692 cm 2022-02-25T16:49:51Z https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559785#M1087693 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/133745">@cm</a> clear the current connections, see if the clients can access then.</P> <P>You are running FTD version 6.2.3, you should definately upgrade to 7.0.1 which is the latest recommended version.</P> <P><A href="https://software.cisco.com/download/home/286312107/type/286306337/release/7.0.1" target="_blank">https://software.cisco.com/download/home/286312107/type/286306337/release/7.0.1</A></P> <P>&nbsp;</P> Fri, 25 Feb 2022 16:54:37 GMT https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559785#M1087693 Rob Ingram 2022-02-25T16:54:37Z https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559829#M1087695 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp; thanks Rob.&nbsp;</P><P>&nbsp;</P><P>I have cleared ...&nbsp;But the session is up&nbsp; it seem to have worked But How do clear&nbsp; inbuilt Auto rules is it in material.</P><P>&nbsp;</P><P>&gt;<BR />&gt;<BR />&gt;<BR />&gt; clear conn<BR />8 connection(s) deleted.<BR />&gt;<BR />&gt;<BR />&gt;<BR />&gt;<BR />&gt; show nat</P><P>Auto NAT Policies (Section 2)<BR />1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https<BR />translate_hits = 0, untranslate_hits = 0<BR />2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface<BR />translate_hits = 0, untranslate_hits = 0<BR />3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface<BR />translate_hits = 0, untranslate_hits = 0<BR />4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface<BR />translate_hits = 0, untranslate_hits = 0<BR />5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6<BR />translate_hits = 0, untranslate_hits = 0<BR />6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6<BR />translate_hits = 0, untranslate_hits = 0<BR />7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6<BR />translate_hits = 0, untranslate_hits = 0<BR />&gt;<BR />&gt;<BR />&gt; show xlate<BR />1 in use, 3 most used<BR />Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,<BR />s - static, T - twice, N - net-to-net<BR />TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443<BR />flags sr idle 3:19:05 timeout 0:00:00</P><P>&gt;<BR />&gt;<BR />&gt; ping 8.8.8.8<BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:<BR />!!!!!<BR />Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms<BR />&gt; show<BR />Syntax error: The command is not completed<BR />&gt; show<BR />Syntax error: The command is not completed<BR />&gt; show</P> Fri, 25 Feb 2022 17:53:14 GMT https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559829#M1087695 cm 2022-02-25T17:53:14Z https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559833#M1087696 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/133745">@cm</a> that ping is from the FTD itself, so it doesn't need to nat. It will route the traffic from the outside interface.</P> Fri, 25 Feb 2022 17:58:17 GMT https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559833#M1087696 Rob Ingram 2022-02-25T17:58:17Z https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559842#M1087697 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;Yes the Ping from Devices But the Client (Ghost ) session dropped...After clearing connection... Thanks Boss. but my question still remains.&nbsp; How do I get rid of the Auto Nat rule.... It seems inbuilt. While I have to Upgrade my software together with other smart licensing ... Is it safe to deploy the ftd in the mean time until resources permit to upgrade ?&nbsp;</P> Fri, 25 Feb 2022 18:15:03 GMT https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559842#M1087697 cm 2022-02-25T18:15:03Z https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559850#M1087698 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/133745">@cm</a> you don't get rid of them, they are built in nat rules that help the system needs to operate.</P> Fri, 25 Feb 2022 18:21:49 GMT https://community.cisco.com/t5/network-security/firepower-issues/m-p/4559850#M1087698 Rob Ingram 2022-02-25T18:21:49Z