cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1911
Views
60
Helpful
5
Replies

Firepower issues

cm
Level 1
Level 1

Hi all

 

I m having strange issues with my FTD. I am managing it from FDM as I don't have FMC. I am Seeing strange behavior. I have deleted all the rules NAT and ACP . But my Clients Still getting internet. 

 

This is what I get from the command line. There seem to be some in Built statements in the system seen from show nat...Auto NAT... Further do i need to upgrade hardware from the current version below

 

>
>
> show nat

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
>
>
>
>
>
> show xlate
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443
flags sr idle 1:55:58 timeout 0:00:00

>
>
> show version
-------------------[ firepower ]--------------------
Model : Cisco Firepower 2130 Threat Defense (77) Version 6.2.3 (Build 83)
UUID : 9cf20e9c-37d7-11ec-8011-db2581d87e9c
Rules update version : 2017-09-13-001-vrt
VDB version : 290
----------------------------------------------------

>

2 Accepted Solutions

Accepted Solutions

@cm clear the current connections, see if the clients can access then.

You are running FTD version 6.2.3, you should definately upgrade to 7.0.1 which is the latest recommended version.

https://software.cisco.com/download/home/286312107/type/286306337/release/7.0.1

 

View solution in original post

@Rob Ingram  thanks Rob. 

 

I have cleared ... But the session is up  it seem to have worked But How do clear  inbuilt Auto rules is it in material.

 

>
>
>
> clear conn
8 connection(s) deleted.
>
>
>
>
> show nat

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
>
>
> show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443
flags sr idle 3:19:05 timeout 0:00:00

>
>
> ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
> show
Syntax error: The command is not completed
> show
Syntax error: The command is not completed
> show

View solution in original post

5 Replies 5

@cm clear the current connections, see if the clients can access then.

You are running FTD version 6.2.3, you should definately upgrade to 7.0.1 which is the latest recommended version.

https://software.cisco.com/download/home/286312107/type/286306337/release/7.0.1

 

@Rob Ingram  thanks Rob. 

 

I have cleared ... But the session is up  it seem to have worked But How do clear  inbuilt Auto rules is it in material.

 

>
>
>
> clear conn
8 connection(s) deleted.
>
>
>
>
> show nat

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
>
>
> show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443
flags sr idle 3:19:05 timeout 0:00:00

>
>
> ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
> show
Syntax error: The command is not completed
> show
Syntax error: The command is not completed
> show

@cm that ping is from the FTD itself, so it doesn't need to nat. It will route the traffic from the outside interface.

@Rob Ingram Yes the Ping from Devices But the Client (Ghost ) session dropped...After clearing connection... Thanks Boss. but my question still remains.  How do I get rid of the Auto Nat rule.... It seems inbuilt. While I have to Upgrade my software together with other smart licensing ... Is it safe to deploy the ftd in the mean time until resources permit to upgrade ? 

@cm you don't get rid of them, they are built in nat rules that help the system needs to operate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: