Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
885
Views
2
Helpful
12
Replies

Cisco FTD - Snort blocking access from one subnet to outside interface

NetworkPitu
Level 1
Level 1

ā€Ž03-14-2024 03:05 AM

Hello,

in company we have Cisco Firepower 1140 to this we have connected Cisco ISR and switch. We created new subnet for customer SDWAN to get access to internet from our ISP. So everything localy works. From ISR I can ping local IP address of our FTD with source of this new subnet but to outside like 8.8.8.8 I have issue. Basically there is no ping from this subnet to network even if we have other our subnets configured in same way and they are working fine. I added ACL rule to allow/trust traffic from this subnet to outside to all IPs and ports. Still same issue

Our FTDs are managed by FMC. In there in Packet Tracer we have error/deny by Snort (I attached screenshot from this part)

To be honest I am trying to solve it like a week now and I really need urgent help. I will be very grateful for any tips and solutions

 

Preview file
66 KB
0 Helpful
12 Replies 12

MHM Cisco World
VIP
VIP

ā€Ž03-14-2024 03:48 AM

Show access-list

The packet-tracer show rule ID that drop packet

Check this rule ID

MHM

0 Helpful

NetworkPitu
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-14-2024 04:36 AM

Yes, I see this:

access-list CSM_FW_ACL_ line 82 remark rule-id 268434432: ACCESS POLICY: Global_Policy - Default
access-list CSM_FW_ACL_ line 83 remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ line 84 advanced deny ip any any rule-id 268434432 (hitcnt=0) 0x97aa021a
 
So thats why it is blocking. So how can I allow it? Even if I have in ACL rule to allow this subnet to internet?

MHM Cisco World
VIP
VIP
In response to NetworkPitu

ā€Ž03-14-2024 04:42 AM

You mention that you add ACL, can I see the ACL in FTD

MHM

0 Helpful

NetworkPitu
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-14-2024 04:47 AM

Sure. For security I blurred name of rule and second one is object with this new subnet.

Also I selected action to trust but I tested it with allow

Preview file
11 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to NetworkPitu

ā€Ž03-14-2024 05:25 AM

For ACL order I will make double check 

But also what I notice is zone 

The drop packey pass from zone2 to zone2 ? Can you also make double check this point.

MHM

0 Helpful

NetworkPitu
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-14-2024 05:35 AM

Sorry, where you notice zone2? I checked screenshots and I cannot find them. We have zone "inside" and "outside" as our main zones in network

0 Helpful

NetworkPitu
Level 1
Level 1
In response to NetworkPitu

ā€Ž03-14-2024 06:37 AM

aa ok, found it in Packet Tracer. To be honest I am not sure why even if we don't have zone called "zone2"

0 Helpful

MHM Cisco World
VIP
VIP
In response to NetworkPitu

ā€Ž03-14-2024 07:22 AM - edited ā€Ž03-14-2024 07:43 AM

can you share the lookup phase of packet-tracer 

MHM

0 Helpful

NetworkPitu
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-14-2024 07:37 AM

Sure. Also I blurred IP but there is a IP of a gateway from out ISP. I found only this with Lookup phase

Preview file
24 KB

MHM Cisco World
VIP
VIP
In response to NetworkPitu

ā€Ž03-14-2024 07:53 AM

Screenshot 2024-03-14 105322.png

0 Helpful

NetworkPitu
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-15-2024 01:35 AM

ohh ok got it but I don't know why it is to same zone (internet) even if it is configured correctly on ISR. Maybe you know what to check why it is happened?

0 Helpful

MHM Cisco World
VIP
VIP
In response to NetworkPitu

ā€Ž03-16-2024 02:47 AM

can I see how you config the packet-tracer 

thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card