Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3340
Views
16
Helpful
10
Replies

Can you Connect A Firepower 1010 to a ISP Gateway like Att

Go to solution
1timcisco
Level 1
Level 1

‎03-18-2021 08:25 AM - edited ‎03-18-2021 08:26 AM

I have a att fiber connection to my house and the gateway (all in one device) has a built in switch.  I connected one of the swichports to the outside interface of my Firepower 1010 expecting everything to work as if I had plugged in a WAN connection to the outside interface but no go.  Is this a possible configuration?  I have tried assigning a static address to the outside interface and using DHCP.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
1timcisco
Level 1
Level 1

‎03-18-2021 02:01 PM

So it turns out that I was able to do this:

1. Assigned the outside interface DHCP

2. Created a NEW DNS object that was the DNS of the ATT router/firewall/modem

3. Created Dynamic NAT from inside to outside with the ATT DNS as the original source

4. Added access rule to allow any any to the source ATT DNS

5. Added a Static Route from any ipv4 to the outside interface (ATT Private Network) to the Gateway of the ATT Router/Firewall/Modem which is also the IP for the DNS Server.

Now I can access the internet with my Firepower 1010 connected to a switchport on the ATT All-In-One Device and segment traffic south of the firepower with the ATT device serving all the IOT devices.  

Thanks for pointing me in the right direction!

View solution in original post

0 Helpful
10 Replies 10

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-18-2021 08:28 AM

it should work as expected - outside interface get DHCP From provider and you able to work configured inside other information.

 

here is start guide :

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1010/firepower-1010-gsg/ftd-fmc.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
1timcisco
Level 1
Level 1
In response to balaji.bandi

‎03-18-2021 08:37 AM

its a private address that it is giving, is that ok<  Thx

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to 1timcisco

‎03-18-2021 08:50 AM

its ok the do NAT their end, setup as per the quick start guide. (make sure you will not overlap what address they giving private) do not use smae address :

 

example : if the provider giving you 192.168.1.X ( your internal should be different one like 192.168.20.X/24 )

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to 1timcisco

‎03-18-2021 09:04 AM

When the ISP is providing private IPs, you must make sure that the ISP-device can talk to your internal network. Two solutions for this:

1) Preferred: Configure no NAT/PAT on the Firepower, but configure a static route for your internal network on the ISP-device pointing to the outside IP of your firewall.

2) Less preferred, but the way to go if your ISP-device can not be configured with static routes: Configure NAT/PAT also on the Firepower. With this you have two NAT-instances, but typically that does not do much harm.

 

If you want the Firepower to improve security for your internal network, you could also configure FTP to use transparent or inline-mode. But this is already a little bit advanced.

Go to solution
Rob Ingram
VIP
VIP

‎03-18-2021 08:38 AM

Hi @1timcisco 

What did you test that didn't work?

Can the 1010 itself ping the internet or the upstream router?

 

For devices connected to the inside of the 1010 device you'll need to NAT behind the outside interface as the upstream router probably won't have a route back to the 1010's inside networks.

Go to solution
1timcisco
Level 1
Level 1
In response to Rob Ingram

‎03-18-2021 09:29 AM

that sounds about right, I changed the DNS on the Firepower to the DNS of the Att Device and was able to ping the Att gateway and appear to get online but the traffic seems to be getting out but not back in.  Any good links to help me understand how to properly NAT this thing?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-18-2021 09:39 AM

@1timcisco 

I assume you are using FDM, try this link

https://ccnpsecuritywannabe.blogspot.com/2019/10/configuring-cisco-ftd-nat-access-rules.html

 

If you are running ASA software, then a NAT rule such as

 

object network internal-networks
 subnet 192.168.10.0 255.255.255.0 
 nat (inside,outside) dynamic interface

 

0 Helpful

Go to solution
1timcisco
Level 1
Level 1
In response to Rob Ingram

‎03-18-2021 09:41 AM

ha, I'm using the FMC

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to 1timcisco

‎03-18-2021 09:45 AM - edited ‎03-18-2021 09:45 AM

Example:-

 

fmc nat.PNG

Go to solution
1timcisco
Level 1
Level 1

‎03-18-2021 02:01 PM

So it turns out that I was able to do this:

1. Assigned the outside interface DHCP

2. Created a NEW DNS object that was the DNS of the ATT router/firewall/modem

3. Created Dynamic NAT from inside to outside with the ATT DNS as the original source

4. Added access rule to allow any any to the source ATT DNS

5. Added a Static Route from any ipv4 to the outside interface (ATT Private Network) to the Gateway of the ATT Router/Firewall/Modem which is also the IP for the DNS Server.

Now I can access the internet with my Firepower 1010 connected to a switchport on the ATT All-In-One Device and segment traffic south of the firepower with the ATT device serving all the IOT devices.  

Thanks for pointing me in the right direction!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card