topic Re: Firepowers are not seeing any return traffic from the internet in Network Security

Firepowers are not seeing any return traffic from the internet

erics08 — Mon, 04 Dec 2023 20:00:30 GMT

Hello, we have a newer environment that we have been adding servers and NAT's to over the last few months. Recently ran into an issue where the servers have internet access until I apply a NAT in the firewall. The servers are in Azure and the firewalls are FTDv in Azure. We have an outbound internet policy allowing all, and I see the traffic is allowed outbound, but there isn't return traffic. I verified this with pcaps as well. Any idea why the traffic isn't coming back to the firewall? The odd thing is, that we have one server with a NAT that does have internet access.

We are in Azure North Central with 2 FTDv's that are active/active. Everything in Azure has internet access and traverses these firewalls, except the 3 new servers that were moved into Azure with a NAT rule. And to add one more thing, my server team provides the Microsoft public IP for me and all 3 of these IP's are in a different subnet. Also have a ticket open with Microsoft on this.

Re: Firepowers are not seeing any return traffic from the internet

MHM Cisco World — Mon, 04 Dec 2023 20:04:43 GMT

Can I see packet tracer

MHM

Re: Firepowers are not seeing any return traffic from the internet

erics08 — Mon, 04 Dec 2023 20:32:34 GMT

Here is the packet tracer for a constant ping going to Google. The firewall logs show initiator packet, but no responder traffic.

Interface: GigabitEthernet0/0
VLAN ID:
Protocol: ICMP
Source Type: IPv4
Source IP value: 10.20.132.50
Destination Type: IPv4
Destination IP value: 8.8.8.8
ICMP Code: 0
ICMP ID:
ICMP Type: 8 (Echo Request)
Treat simulated packet as IPsec/SSL VPN decrypt: false
Bypass all security checks for simulated packet: false
Allow simulated packet to transmit from device: false
Select Device: AZUCSFPP01
Run trace on all cluster members: false

Device details
Name: AZUCSFPP01
ID: f5e5fc74-beb9-11ed-8233-b0944b225a3d
Type: Device

Phase 1
ID: 1
Type: ACCESS-LIST
Result: ALLOW
Config: Implicit Rule
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b08877e0, priority=1, domain=permit, deny=false hits=60863992910, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=AZU_InsideZone, output_ifc=any
Elapsed Time: 10258 ns

Phase 2
ID: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information: Found next-hop 10.20.101.49 using egress ifc AZU_OutsideZone(vrfid:0)
Elapsed Time: 8920 ns

Phase 3
ID: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced permit ip ifc AZU_InsideZone object 10_20_0_0_16 ifc AZU_OutsideZone any rule-id 268447747 access-list CSM_FW_ACL_ remark rule-id 268447747: ACCESS POLICY: AzureNorthCentralAccessControlPolicy - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268447747: L7 RULE: ALLOW_INSIDE_OUT
Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x15040bced2a0, priority=12, domain=permit, deny=false hits=128119090, user_data=0x1503dd34a440, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.20.0.0, mask=255.255.0.0, port=0, tag=any, ifc=AZU_InsideZone(vrfid:0) dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=AZU_OutsideZone(vrfid:0), vlan=0, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 1873 ns

Phase 4
ID: 4
Type: CONN-SETTINGS
Result: ALLOW
Config: class-map class-default match anypolicy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAPservice-policy global_policy global
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b132f940, priority=7, domain=conn-set, deny=false hits=160785440, user_data=0x1503b132acd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=any
Elapsed Time: 1873 ns

Phase 5
ID: 5
Type: NAT
Result: ALLOW
Config: nat (AZU_InsideZone,AZU_OutsideZone) source static 10_20_132_50 20_221_254_24 description Tekla_2
Additional Information: Static translate 10.20.132.50/0 to 20.221.254.24/0 Forward Flow based lookup yields rule: in id=0x1503b31a4890, priority=6, domain=nat, deny=false hits=221, user_data=0x1503b2aebbc0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.20.132.50, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=AZU_OutsideZone(vrfid:0)
Elapsed Time: 1873 ns

Phase 6
ID: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b03e4440, priority=0, domain=nat-per-session, deny=true hits=163581562, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 1873 ns

Phase 7
ID: 7
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b088f110, priority=0, domain=inspect-ip-options, deny=true hits=187836233, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=any
Elapsed Time: 1873 ns

Phase 8
ID: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config: class-map inspection_default match default-inspection-trafficpolicy-map global_policy class inspection_default inspect icmp service-policy global_policy global
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b13106f0, priority=70, domain=inspect-icmp, deny=false hits=16042231, user_data=0x1503b130f110, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=any
Elapsed Time: 16502 ns

Phase 9
ID: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b1319530, priority=70, domain=inspect-icmp-error, deny=false hits=16042231, user_data=0x1503b1317f50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=any
Elapsed Time: 2230 ns

Phase 10
ID: 10
Type: QOS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b13c0100, priority=70, domain=qos-per-class, deny=false hits=313786802, user_data=0x1503b1254ea0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 446 ns

Phase 11
ID: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config: nat (AZU_InsideZone,AZU_OutsideZone) source static 10_20_132_50 20_221_254_24 description Tekla_2
Additional Information: Forward Flow based lookup yields rule: out id=0x1503b27b1fa0, priority=6, domain=nat-reverse, deny=false hits=222, user_data=0x1503b1888640, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.20.132.50, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=AZU_OutsideZone(vrfid:0)
Elapsed Time: 8028 ns

Phase 12
ID: 12
Type: QOS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1503b13c0100, priority=70, domain=qos-per-class, deny=false hits=313786803, user_data=0x1503b1254ea0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 22300 ns

Phase 13
ID: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1503b03e4440, priority=0, domain=nat-per-session, deny=true hits=163581564, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 892 ns

Phase 14
ID: 14
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1503b0909330, priority=0, domain=inspect-ip-options, deny=true hits=128152450, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_OutsideZone(vrfid:0), output_ifc=any
Elapsed Time: 446 ns

Phase 15
ID: 15
Type: FLOW-CREATION
Result: ALLOW
Config:
Additional Information: New flow created with id 160155716, packet dispatched to next moduleModule information for forward flow ...snp_fp_inspect_ip_optionssnp_fp_snortsnp_fp_inspect_icmpsnp_fp_translatesnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_statModule information for reverse flow ...snp_fp_inspect_ip_optionssnp_fp_translatesnp_fp_inspect_icmpsnp_fp_snortsnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_stat
Elapsed Time: 14718 ns

Phase 16
ID: 16
Type: EXTERNAL-INSPECT
Result: ALLOW
Config:
Additional Information: Application: 'SNORT Inspect'
Elapsed Time: 22746 ns

Phase 17
ID: 17
Type: SNORT
Subtype: appid
Result: ALLOW
Config:
Additional Information: service: ICMP(3501), client: (0), payload: (0), misc: (0)
Elapsed Time: 13444 ns

Phase 18
ID: 18
Type: SNORT
Subtype: firewall
Result: ALLOW
Config: Network 0, Inspection 0, Detection 4, Rule ID 268447747
Additional Information: Starting rule matching, zone 2 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xffMatched rule ids 268447747 - Allow
Elapsed Time: 164572 ns

Phase 19
ID: 19
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information: Found next-hop 10.20.101.49 using egress ifc AZU_OutsideZone(vrfid:0)
Elapsed Time: 4014 ns

Phase 20
ID: 20
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information: Found adjacency entry for Next-hop 10.20.101.49 on interface AZU_OutsideZoneAdjacency :ActiveMAC address 1234.5678.9abc hits 14601632 reference 7284
Elapsed Time: 446 ns

Result
Input Interface: AZU_InsideZone(vrfid:0)
Input Status: up
Input Line Status: up
Output Interface: AZU_OutsideZone(vrfid:0)
Output Status: up
Output Line Status: up
Action: allow
Time Taken: 299327 ns

Re: Firepowers are not seeing any return traffic from the internet

MHM Cisco World — Mon, 04 Dec 2023 20:36:39 GMT

Use packet tracer using tcp not ICMP packet.

Share result here

MHM

Re: Firepowers are not seeing any return traffic from the internet

erics08 — Mon, 04 Dec 2023 20:39:49 GMT

Does it matter what port I use? I am not sure how packet tracer works, I don't have a lot of experience with FMC quite yet. Is it just a synthetic transaction that I can use 8.8.8.8 for a destination with https as both source and dest ports? Here is that output:

Interface: GigabitEthernet0/0
VLAN ID:
Protocol: TCP
Source Type: IPv4
Source IP value: 10.20.132.50
Source Port: https
Source SPI:
Destination Type: IPv4
Destination IP value: 8.8.8.8
Destination port: https
Inline Tag:
Treat simulated packet as IPsec/SSL VPN decrypt: false
Bypass all security checks for simulated packet: false
Allow simulated packet to transmit from device: false
Select Device: AZUCSFPP01
Run trace on all cluster members: false

Device details
Name: AZUCSFPP01
ID: f5e5fc74-beb9-11ed-8233-b0944b225a3d
Type: Device

Phase 1
ID: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information: Found next-hop 10.20.101.49 using egress ifc AZU_OutsideZone(vrfid:0)
Elapsed Time: 15164 ns

Phase 2
ID: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced permit ip ifc AZU_InsideZone object 10_20_0_0_16 ifc AZU_OutsideZone any rule-id 268447747 access-list CSM_FW_ACL_ remark rule-id 268447747: ACCESS POLICY: AzureNorthCentralAccessControlPolicy - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268447747: L7 RULE: ALLOW_INSIDE_OUT
Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x15040bced2a0, priority=12, domain=permit, deny=false hits=128157445, user_data=0x1503dd34a440, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.20.0.0, mask=255.255.0.0, port=0, tag=any, ifc=AZU_InsideZone(vrfid:0) dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=AZU_OutsideZone(vrfid:0), vlan=0, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 2140 ns

Phase 3
ID: 3
Type: CONN-SETTINGS
Result: ALLOW
Config: class-map class-default match anypolicy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAPservice-policy global_policy global
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b132f940, priority=7, domain=conn-set, deny=false hits=160829310, user_data=0x1503b132acd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=any
Elapsed Time: 2140 ns

Phase 4
ID: 4
Type: NAT
Result: ALLOW
Config: nat (AZU_InsideZone,AZU_OutsideZone) source static 10_20_132_50 20_221_254_24 description Tekla_2
Additional Information: Static translate 10.20.132.50/443 to 20.221.254.24/443 Forward Flow based lookup yields rule: in id=0x1503b31a4890, priority=6, domain=nat, deny=false hits=225, user_data=0x1503b2aebbc0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.20.132.50, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=AZU_OutsideZone(vrfid:0)
Elapsed Time: 2140 ns

Phase 5
ID: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b03e0d40, priority=0, domain=nat-per-session, deny=false hits=122546743, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 2140 ns

Phase 6
ID: 6
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b088f110, priority=0, domain=inspect-ip-options, deny=true hits=187884436, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=any
Elapsed Time: 2140 ns

Phase 7
ID: 7
Type: QOS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1503b13c0100, priority=70, domain=qos-per-class, deny=false hits=313873239, user_data=0x1503b1254ea0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 7582 ns

Phase 8
ID: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config: nat (AZU_InsideZone,AZU_OutsideZone) source static 10_20_132_50 20_221_254_24 description Tekla_2
Additional Information: Forward Flow based lookup yields rule: out id=0x1503b27b1fa0, priority=6, domain=nat-reverse, deny=false hits=226, user_data=0x1503b1888640, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.20.132.50, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_InsideZone(vrfid:0), output_ifc=AZU_OutsideZone(vrfid:0)
Elapsed Time: 3568 ns

Phase 9
ID: 9
Type: QOS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1503b13c0100, priority=70, domain=qos-per-class, deny=false hits=313873240, user_data=0x1503b1254ea0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 15164 ns

Phase 10
ID: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1503b03e0d40, priority=0, domain=nat-per-session, deny=false hits=122546745, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 0 ns

Phase 11
ID: 11
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1503b0909330, priority=0, domain=inspect-ip-options, deny=true hits=128190980, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=AZU_OutsideZone(vrfid:0), output_ifc=any
Elapsed Time: 0 ns

Phase 12
ID: 12
Type: FLOW-CREATION
Result: ALLOW
Config:
Additional Information: New flow created with id 160199567, packet dispatched to next moduleModule information for forward flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_snortsnp_fp_translatesnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_statModule information for reverse flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_translatesnp_fp_snortsnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_stat
Elapsed Time: 12488 ns

Phase 13
ID: 13
Type: EXTERNAL-INSPECT
Result: ALLOW
Config:
Additional Information: Application: 'SNORT Inspect'
Elapsed Time: 56196 ns

Phase 14
ID: 14
Type: SNORT
Subtype: appid
Result: ALLOW
Config:
Additional Information: service: DNS over HTTPS(4624), client: (0), payload: (0), misc: (0)
Elapsed Time: 16588 ns

Phase 15
ID: 15
Type: SNORT
Subtype: firewall
Result: ALLOW
Config: Network 0, Inspection 0, Detection 4, Rule ID 268447747
Additional Information: Starting rule matching, zone 2 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xffMatched rule ids 268447747 - Allow
Elapsed Time: 632221 ns

Phase 16
ID: 16
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information: Found next-hop 10.20.101.49 using egress ifc AZU_OutsideZone(vrfid:0)
Elapsed Time: 4014 ns

Phase 17
ID: 17
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information: Found adjacency entry for Next-hop 10.20.101.49 on interface AZU_OutsideZoneAdjacency :ActiveMAC address 1234.5678.9abc hits 15361856 reference 7849
Elapsed Time: 892 ns

Re: Firepowers are not seeing any return traffic from the internet

MHM Cisco World — Mon, 04 Dec 2023 20:47:29 GMT

Access to clish of ftd (cli)

Capture traffic

Then select 1 (router)

Then in option add server Ip as

Host x.x.x.x

Then make server ping to 8.8.8.8

To exit capture do

Ctrl + C

Share output here

MHM

Re: Firepowers are not seeing any return traffic from the internet

erics08 — Mon, 04 Dec 2023 20:53:46 GMT

I believe this is what you're looking for?

show capture
capture tekla_outside_int%intf=AZU_OutsideZone% type raw-data trace interface AZU_OutsideZone [Stopped - 0 bytes]
match ip host 10.20.132.50 any
capture tac type raw-data interface AZU_OutsideZone [Capturing - 0 bytes]
match icmp host 20.221.254.24 host 8.8.8.8

Re: Firepowers are not seeing any return traffic from the internet

MHM Cisco World — Mon, 04 Dec 2023 20:57:58 GMT

From fmc or cli it same

Share result

Re: Firepowers are not seeing any return traffic from the internet

erics08 — Mon, 04 Dec 2023 21:13:37 GMT

From FMC, I do a pcap with Protocol: IP, the source 8.8.8.8, destination is my public IP that is setup for the NAT and I see packets. I think I'm understanding that correctly.

1: 21:08:17.657039 20.221.254.24 > 8.8.8.8 icmp: echo request
2: 21:08:22.657253 20.221.254.24 > 8.8.8.8 icmp: echo request
3: 21:08:27.656734 20.221.254.24 > 8.8.8.8 icmp: echo request
4: 21:08:32.657223 20.221.254.24 > 8.8.8.8 icmp: echo request

Re: Firepowers are not seeing any return traffic from the internet

MHM Cisco World — Mon, 04 Dec 2023 21:26:21 GMT

Sorry if I late in my reply'

I Solve many issues for other in same time

Now

This next hop.I dont understand' if the private IP NATing to public IP 20.221 then why next hop is this IP? And the more confuse point it add to OutZone ?

Additional Information: Found next-hop 10.20.101.49 using egress ifc AZU_OutsideZone(vrfid:0)

Re: Firepowers are not seeing any return traffic from the internet

erics08 — Wed, 20 Mar 2024 18:34:15 GMT

Sorry for late reply. This was resolved as an issue with Azure, the public IP wasn't being allowed in Azure.