topic Re: Cisco FTD - Snort blocking access from one subnet to outside inter in Network Security

Cisco FTD - Snort blocking access from one subnet to outside interface

NetworkPitu — Thu, 14 Mar 2024 10:05:13 GMT

Hello,

in company we have Cisco Firepower 1140 to this we have connected Cisco ISR and switch. We created new subnet for customer SDWAN to get access to internet from our ISP. So everything localy works. From ISR I can ping local IP address of our FTD with source of this new subnet but to outside like 8.8.8.8 I have issue. Basically there is no ping from this subnet to network even if we have other our subnets configured in same way and they are working fine. I added ACL rule to allow/trust traffic from this subnet to outside to all IPs and ports. Still same issue

Our FTDs are managed by FMC. In there in Packet Tracer we have error/deny by Snort (I attached screenshot from this part)

To be honest I am trying to solve it like a week now and I really need urgent help. I will be very grateful for any tips and solutions

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

MHM Cisco World — Thu, 14 Mar 2024 10:48:12 GMT

Show access-list

The packet-tracer show rule ID that drop packet

Check this rule ID

MHM

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

NetworkPitu — Thu, 14 Mar 2024 11:36:24 GMT

Yes, I see this:

access-list CSM_FW_ACL_ line 82 remark rule-id 268434432: ACCESS POLICY: Global_Policy - Default

access-list CSM_FW_ACL_ line 83 remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE

access-list CSM_FW_ACL_ line 84 advanced deny ip any any rule-id 268434432 (hitcnt=0) 0x97aa021a

So thats why it is blocking. So how can I allow it? Even if I have in ACL rule to allow this subnet to internet?

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

MHM Cisco World — Thu, 14 Mar 2024 11:42:34 GMT

You mention that you add ACL, can I see the ACL in FTD

MHM

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

NetworkPitu — Thu, 14 Mar 2024 11:47:05 GMT

Sure. For security I blurred name of rule and second one is object with this new subnet.

Also I selected action to trust but I tested it with allow

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

MHM Cisco World — Thu, 14 Mar 2024 12:25:29 GMT

For ACL order I will make double check

But also what I notice is zone

The drop packey pass from zone2 to zone2 ? Can you also make double check this point.

MHM

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

NetworkPitu — Thu, 14 Mar 2024 12:35:55 GMT

Sorry, where you notice zone2? I checked screenshots and I cannot find them. We have zone "inside" and "outside" as our main zones in network

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

NetworkPitu — Thu, 14 Mar 2024 13:37:24 GMT

aa ok, found it in Packet Tracer. To be honest I am not sure why even if we don't have zone called "zone2"

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

MHM Cisco World — Thu, 14 Mar 2024 14:43:29 GMT

can you share the lookup phase of packet-tracer

MHM

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

NetworkPitu — Thu, 14 Mar 2024 14:37:46 GMT

Sure. Also I blurred IP but there is a IP of a gateway from out ISP. I found only this with Lookup phase

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

MHM Cisco World — Thu, 14 Mar 2024 14:53:09 GMT

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

NetworkPitu — Fri, 15 Mar 2024 08:35:23 GMT

ohh ok got it but I don't know why it is to same zone (internet) even if it is configured correctly on ISR. Maybe you know what to check why it is happened?

Re: Cisco FTD - Snort blocking access from one subnet to outside inter

MHM Cisco World — Sat, 16 Mar 2024 09:47:40 GMT

can I see how you config the packet-tracer

thanks

MHM