cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8432
Views
5
Helpful
13
Replies

Firepower 1120 Gateway cannot be reached through port Ethernet1/1 name "outside"

dposmondsr7367
Level 1
Level 1

I am replacing a 5550 ASA on my home network with a Firepower 1120.  I manually added the interfaces and such using similar naming conventions on the 5550.  When I mouse over 1/1 I see the message box stating "Gateway cannot be reached through port Ethernet1/1 named "outside"".  Looking for suggestions on what to check for.

 

image.png

 

This is shown with and without actual connection to the cable modem which is bridged.  

> show ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask   

  Method 

Ethernet1/1              outside                208.104.20.30   255.255.255.0 

  CONFIG

Ethernet1/2              inside-original        192.168.104.1   255.255.255.0 

  CONFIG

Ethernet1/3              inside2                10.10.81.1      255.255.255.0 

  CONFIG

Ethernet1/4              inside3                192.168.1.1     255.255.255.0 

  CONFIG

Ethernet1/5              l3                     10.10.103.254   255.255.255.0 

  CONFIG

Ethernet1/9              inside                 192.168.103.1   255.255.255.0 

  CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask   

  Method 

Ethernet1/1              outside                208.104.20.30   255.255.255.0 

  CONFIG

Ethernet1/2              inside-original        192.168.104.1   255.255.255.0 

  CONFIG

Ethernet1/3              inside2                10.10.81.1      255.255.255.0 

  CONFIG

Ethernet1/4              inside3                192.168.1.1     255.255.255.0 

  CONFIG

Ethernet1/5              l3                     10.10.103.254   255.255.255.0 

  CONFIG

Ethernet1/9              inside                 192.168.103.1   255.255.255.0 

  CONFIG

 

> show network

===============[ System Information ]===============

Hostname                  : OsmondFPR1120

DNS Servers               : 208.104.244.45

                            208.104.2.36

Management port           : 8305

IPv4 Default route

  Gateway                 : data-interfaces

==================[ management0 ]===================

State                     : Enabled

Channels                  : Management & Events

Mode                      : Non-Autonegotiation

MDI/MDIX                  : Auto/MDIX

MTU                       : 1500

MAC Address               : 6C:03:09:ED:FF:80

----------------------[ IPv4 ]----------------------

Configuration             : Manual

Address                   : 192.168.45.45

Netmask                   : 255.255.255.0

Broadcast                 : 192.168.45.255

----------------------[ IPv6 ]----------------------

Configuration             : Disabled

===============[ Proxy Information ]================

State                     : Disabled

Authentication            : Disabled

 

 

2 Accepted Solutions

Accepted Solutions

johnlloyd_13
Level 9
Level 9

hi,

your NAT is configured as STATIC. change it to DYNAMIC and also change under translated packet > source address > interface.

see helpful link:

https://ccnpsecuritywannabe.blogspot.com/2019/09/configuring-ftd-623-via-firepower.html

View solution in original post

That worked.  Thanks to @johnlloyd_13 and @Marvin Rhoads for the support on this!

image.png

View solution in original post

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

Does your ISP really give you a /24 as indicated in your configuration of Ethernet 1/1?

 208.104.20.30   255.255.255.0 

 

dposmondsr7367
Level 1
Level 1

I have three statics coming in via the cable modem.  This is what I have on my 5550 now.

 

interface GigabitEthernet0/0

 description outside

 nameif outside

 security-level 100

 ip address 208.104.20.30 255.255.255.0

!

 
 

image.png

 

I was replicating what I have live on the 5550.  The static for my gateway on the 5550 is 

image.png

The other static IPs are 208.104.20.145 and 208.104.20.198 which I use NAT rules to handle to other inside IPs.  For now I am just trying to get the 1120 able to connect outside and register it and of course make use of it in place of the 5550.  When I look at the ARP table on the 5550 it shows 208.104.20.1 on the "outside" interface which is the gateway from the ISP.

OK, you should be able to get things going then if you put that gateway address in as the static default route for your system's dataplane. Your FDM GUI screenshot indicates you haven't configured any routes yet. (The default setup uses DHCP with setroute option.)

Is that not what this is?

image.png

Oh OK - I was going by the first screenshot which said no routes.

What's causing the Eth 1/1 interface status to be orange? Hovering over it should bring up a status tooltip.

Sorry about that, the screen shot was before I added the static.  I was following the documentation and thought what I had should work.  Right now the 1120 is not connected to the cable modem.  When attached to the cable modem it will go green.  I did power down the cable modem and the 1120 before moving from 5550 to the 1120.  Even though it was green I got the same message about the gateway and ISP/WAN/Gateway box never changes colors (assuming it would).  1/9 which is my internal network goes green and all of the devices inside on the switch see each other but of course none can get outside.  I get the message about the gateway even when attached to the cable modem.  My daughter and I both work remote from home so need network up during business hours.  Let me know what else you need to review and I can send a word doc with current screen shots.  Thx

Attached is screen shots of everything (I think).

Like @johnlloyd_13 said - correct the NAT configuration and deploy.

Hi

 

I have same issue but my NAT is on dynamic not static, and I still have same problem?  Thanks 

 

Ammar

johnlloyd_13
Level 9
Level 9

hi,

your NAT is configured as STATIC. change it to DYNAMIC and also change under translated packet > source address > interface.

see helpful link:

https://ccnpsecuritywannabe.blogspot.com/2019/09/configuring-ftd-623-via-firepower.html

That worked.  Thanks to @johnlloyd_13 and @Marvin Rhoads for the support on this!

image.png

Hi

 

I have same issue but my NAT is on dynamic? Thanks 

Review Cisco Networking for a $25 gift card