Re: access rules firepower 1010 - Page 2

BornJames · ‎07-08-2023

Hi team,

have a question regarding access rules.

how come if any any eveyrhting works fine.

however when i want to allow lets say connect to facebook, and everything else disable

so i put source(inside) network(any-ipv4) ports(any) destination(outside_zone) network(FQDN facebook.com) ports (any)

so now I should have connection only to facebook, however no connection at all.

Aref Alsouqi · ‎07-11-2023

That is interesting. When you type system support and then you type ? does it show you the diagnostic-cli option?

BornJames · ‎07-11-2023

nah, nothing happens, it doenst allow me to push enter, it just sits there

Aref Alsouqi · ‎07-12-2023

Would you mind sharing the screenshot?

MHM Cisco World · ‎07-10-2023

so there is issue with DNS
first point to clear here is
DNS for data different than DNS for mgmt
you run FPR 1010 with ASA image or FTD image ?
FPR mgmt by FDM or FMC ?

BornJames · ‎07-10-2023

Thank you for the reply.

I have got default DNS group which consists of 8.8.8.8 8.8.4.4 and is used for Vlan 1 and for management

but I also I have got this configured, so the PCs could get this DNS

are you saying that it is not how it is suppose to be ?

you run FPR 1010 with ASA image or FTD image ?
FPR mgmt by FDM or FMC ?

how would I check that ?

it is just out of box

thank you

MHM Cisco World · ‎07-10-2023

Client -> FPR -> 8.8.8.8 this need ACL config in FPR allow INside subnet to ANY UDP port 53 and as normal you need NATing INside to OUTside public IP

FPR -> 8.8.8.8 this need change the source of DNS from mgmt to INside Or keep mgmt as source of DNS but NATing the mgmt interface to OUTside interface.

BornJames · ‎07-10-2023

Yeh, I do have that rle allowing from inside to outside port 53 for tcp and udp, also NATing is in place as the everything is working fine when I have any to any rule configured.

dont understand the second part that I need to change for management...

MHM Cisco World · ‎07-10-2023

OK, when you use FQDN in ACL instead of IP, here the FPR will resolve the FQDN into IP
so here the DNS is mgmt not data,
FPR will send DNS request using mgmt as source IP and 8.8.8.8 as destination BUT
are 8.8.8.8 know FPR mgmt private IP ? sure NO, so you need IP that can access internet and hence you can use data interface INside as source for DNS mgmt traffic.
hope this help you friend.
thanks
MHM

BornJames · ‎07-10-2023

Hello MHM,

I have access to the internet via Vlan 1 it is working, what would this rule look like ?

"so you need IP that can access internet and hence you can use data interface INside as source for DNS mgmt traffic. "

thank you for the help

MHM Cisco World · ‎07-11-2023

Yes but you use dedicate mgmt interface not use data interface as mgmt interface.
anyway
only add mgmt interface to NATing, make mgmt subnet NATing to OUTside public IP.

BornJames · ‎07-12-2023

I dont understand.

you mean like this ?

MHM Cisco World · ‎07-13-2023

Correct'

Do that

Then config your acl with fqdn and check deny/permit traffic

BornJames · ‎07-13-2023

nah, lost internet connection

this is the rule I have just for a test. but no internet connection after the NAT chang

MHM Cisco World · ‎07-14-2023

Ca I see all NAT you config in fpr

BornJames · ‎07-14-2023

this is the only NAT rule I have