Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1870
Views
0
Helpful
0
Replies

Access Control Security Policies not working with Zones (Inside/Outside) using FTD on Firepower 1010

gurdipbhangle
Level 1
Level 1

‎08-16-2020 06:03 AM

Hi,

 

I Have a very odd/strange problem in relation to Access Control Security Policies on a FirePower 1010 managed using FDM.

 

I'm configuring two Firepower 1010's with RA VPN and two very simple NAT rules to allow SMTP and FTP to two servers. I have also configured RA VPN which works fine on both but I'm having Access Control issues one of the devices.

 

I have configured both with Firepower 1010 with FDM version 6.6.0.1-7, both have the same configurations and the same NAT and Access Control policies. For some reason on one of the devices, the access control policies don't seem to be working.

Both have two zones Inside (VLAN1- Interfaces 2-8) and Outside (Interface 1)

 

So let's take the FTP NAT and Access control policy:-

 

Manual FTP NAT rule

Type: Static

Interface:Inside>outside

Orginal Packet

  • Source:FTPHost
  • Dest: Any
  • SourcePort:FTP
  • Dest:Any

Translated Packet

  • Source: Interface
  • Dest: Any
  • SourcePort:FTP
  • Dest:Any

The corresponding Access List:-

Action: Allow

Source

  • Zones: outside_zone

  • Networks: any-ipv4
  • Ports:Any

Destination

  • Zones: inside_zone

  • Networks: FTPHost
  • Ports:FTP

The above configuration works on one FW but not on the other!

What seems to make the Access Control Policy work is if I remove the zones and leave them as ANY to ANY, Not ideal

 

Has anyone had similar issues? 

 

Thanks 

 

Gurdip Bhangle

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card