Solved: Re: Firepower 1120 Gateway cannot be reached through port Ethernet1/1 name "outside"

dposmondsr7367 · ‎06-10-2021

I am replacing a 5550 ASA on my home network with a Firepower 1120. I manually added the interfaces and such using similar naming conventions on the 5550. When I mouse over 1/1 I see the message box stating "Gateway cannot be reached through port Ethernet1/1 named "outside"". Looking for suggestions on what to check for.

This is shown with and without actual connection to the cable modem which is bridged.

> show ip

System IP Addresses:

Interface Name IP address Subnet mask

Method

Ethernet1/1 outside 208.104.20.30 255.255.255.0

CONFIG

Ethernet1/2 inside-original 192.168.104.1 255.255.255.0

CONFIG

Ethernet1/3 inside2 10.10.81.1 255.255.255.0

CONFIG

Ethernet1/4 inside3 192.168.1.1 255.255.255.0

CONFIG

Ethernet1/5 l3 10.10.103.254 255.255.255.0

CONFIG

Ethernet1/9 inside 192.168.103.1 255.255.255.0

CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask

Method

Ethernet1/1 outside 208.104.20.30 255.255.255.0

CONFIG

Ethernet1/2 inside-original 192.168.104.1 255.255.255.0

CONFIG

Ethernet1/3 inside2 10.10.81.1 255.255.255.0

CONFIG

Ethernet1/4 inside3 192.168.1.1 255.255.255.0

CONFIG

Ethernet1/5 l3 10.10.103.254 255.255.255.0

CONFIG

Ethernet1/9 inside 192.168.103.1 255.255.255.0

CONFIG

>

> show network

===============[ System Information ]===============

Hostname : OsmondFPR1120

DNS Servers : 208.104.244.45

208.104.2.36

Management port : 8305

IPv4 Default route

Gateway : data-interfaces

==================[ management0 ]===================

State : Enabled

Channels : Management & Events

Mode : Non-Autonegotiation

MDI/MDIX : Auto/MDIX

MTU : 1500

MAC Address : 6C:03:09:ED:FF:80

----------------------[ IPv4 ]----------------------

Configuration : Manual

Address : 192.168.45.45

Netmask : 255.255.255.0

Broadcast : 192.168.45.255

----------------------[ IPv6 ]----------------------

Configuration : Disabled

===============[ Proxy Information ]================

State : Disabled

Authentication : Disabled

johnlloyd_13 · ‎06-11-2021

hi,

your NAT is configured as STATIC. change it to DYNAMIC and also change under translated packet > source address > interface.

see helpful link:

https://ccnpsecuritywannabe.blogspot.com/2019/09/configuring-ftd-623-via-firepower.html

View solution in original post

dposmondsr7367 · ‎06-12-2021

That worked. Thanks to @johnlloyd_13 and @Marvin Rhoads for the support on this!

View solution in original post

Marvin Rhoads · ‎06-11-2021

Does your ISP really give you a /24 as indicated in your configuration of Ethernet 1/1?

 208.104.20.30   255.255.255.0

dposmondsr7367 · ‎06-11-2021

I have three statics coming in via the cable modem. This is what I have on my 5550 now.

interface GigabitEthernet0/0

description outside

nameif outside

security-level 100

ip address 208.104.20.30 255.255.255.0

!

I was replicating what I have live on the 5550. The static for my gateway on the 5550 is

dposmondsr7367 · ‎06-11-2021

The other static IPs are 208.104.20.145 and 208.104.20.198 which I use NAT rules to handle to other inside IPs. For now I am just trying to get the 1120 able to connect outside and register it and of course make use of it in place of the 5550. When I look at the ARP table on the 5550 it shows 208.104.20.1 on the "outside" interface which is the gateway from the ISP.

Marvin Rhoads · ‎06-11-2021

OK, you should be able to get things going then if you put that gateway address in as the static default route for your system's dataplane. Your FDM GUI screenshot indicates you haven't configured any routes yet. (The default setup uses DHCP with setroute option.)

dposmondsr7367 · ‎06-11-2021

Is that not what this is?

Marvin Rhoads · ‎06-11-2021

Oh OK - I was going by the first screenshot which said no routes.

What's causing the Eth 1/1 interface status to be orange? Hovering over it should bring up a status tooltip.

dposmondsr7367 · ‎06-11-2021

Sorry about that, the screen shot was before I added the static. I was following the documentation and thought what I had should work. Right now the 1120 is not connected to the cable modem. When attached to the cable modem it will go green. I did power down the cable modem and the 1120 before moving from 5550 to the 1120. Even though it was green I got the same message about the gateway and ISP/WAN/Gateway box never changes colors (assuming it would). 1/9 which is my internal network goes green and all of the devices inside on the switch see each other but of course none can get outside. I get the message about the gateway even when attached to the cable modem. My daughter and I both work remote from home so need network up during business hours. Let me know what else you need to review and I can send a word doc with current screen shots. Thx

dposmondsr7367 · ‎06-11-2021

Attached is screen shots of everything (I think).

Marvin Rhoads · ‎06-12-2021

Like @johnlloyd_13 said - correct the NAT configuration and deploy.

AmmarHermiz14196 · ‎11-15-2021

Hi

I have same issue but my NAT is on dynamic not static, and I still have same problem? Thanks

Ammar

johnlloyd_13 · ‎06-11-2021

hi,

your NAT is configured as STATIC. change it to DYNAMIC and also change under translated packet > source address > interface.

see helpful link:

https://ccnpsecuritywannabe.blogspot.com/2019/09/configuring-ftd-623-via-firepower.html

dposmondsr7367 · ‎06-12-2021

That worked. Thanks to @johnlloyd_13 and @Marvin Rhoads for the support on this!

AmmarHermiz14196 · ‎11-14-2021

Hi

I have same issue but my NAT is on dynamic? Thanks