Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1964
Views
60
Helpful
5
Replies

Firepower issues

Go to solution
cm
Level 1
Level 1

‎02-25-2022 08:49 AM

Hi all

 

I m having strange issues with my FTD. I am managing it from FDM as I don't have FMC. I am Seeing strange behavior. I have deleted all the rules NAT and ACP . But my Clients Still getting internet. 

 

This is what I get from the command line. There seem to be some in Built statements in the system seen from show nat...Auto NAT... Further do i need to upgrade hardware from the current version below

 

>
>
> show nat

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
>
>
>
>
>
> show xlate
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443
flags sr idle 1:55:58 timeout 0:00:00

>
>
> show version
-------------------[ firepower ]--------------------
Model : Cisco Firepower 2130 Threat Defense (77) Version 6.2.3 (Build 83)
UUID : 9cf20e9c-37d7-11ec-8011-db2581d87e9c
Rules update version : 2017-09-13-001-vrt
VDB version : 290
----------------------------------------------------

>

2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-25-2022 08:54 AM

@cm clear the current connections, see if the clients can access then.

You are running FTD version 6.2.3, you should definately upgrade to 7.0.1 which is the latest recommended version.

https://software.cisco.com/download/home/286312107/type/286306337/release/7.0.1

 

View solution in original post

Go to solution
cm
Level 1
Level 1
In response to Rob Ingram

‎02-25-2022 09:53 AM

@Rob Ingram  thanks Rob. 

 

I have cleared ... But the session is up  it seem to have worked But How do clear  inbuilt Auto rules is it in material.

 

>
>
>
> clear conn
8 connection(s) deleted.
>
>
>
>
> show nat

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
>
>
> show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443
flags sr idle 3:19:05 timeout 0:00:00

>
>
> ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
> show
Syntax error: The command is not completed
> show
Syntax error: The command is not completed
> show

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-25-2022 08:54 AM

@cm clear the current connections, see if the clients can access then.

You are running FTD version 6.2.3, you should definately upgrade to 7.0.1 which is the latest recommended version.

https://software.cisco.com/download/home/286312107/type/286306337/release/7.0.1

 

Go to solution
cm
Level 1
Level 1
In response to Rob Ingram

‎02-25-2022 09:53 AM

@Rob Ingram  thanks Rob. 

 

I have cleared ... But the session is up  it seem to have worked But How do clear  inbuilt Auto rules is it in material.

 

>
>
>
> clear conn
8 connection(s) deleted.
>
>
>
>
> show nat

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
>
>
> show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443
flags sr idle 3:19:05 timeout 0:00:00

>
>
> ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
> show
Syntax error: The command is not completed
> show
Syntax error: The command is not completed
> show

Go to solution
Rob Ingram
VIP
VIP
In response to cm

‎02-25-2022 09:58 AM

@cm that ping is from the FTD itself, so it doesn't need to nat. It will route the traffic from the outside interface.

Go to solution
cm
Level 1
Level 1
In response to cm

‎02-25-2022 10:15 AM

@Rob Ingram Yes the Ping from Devices But the Client (Ghost ) session dropped...After clearing connection... Thanks Boss. but my question still remains.  How do I get rid of the Auto Nat rule.... It seems inbuilt. While I have to Upgrade my software together with other smart licensing ... Is it safe to deploy the ftd in the mean time until resources permit to upgrade ? 

Go to solution
Rob Ingram
VIP
VIP
In response to cm

‎02-25-2022 10:21 AM

@cm you don't get rid of them, they are built in nat rules that help the system needs to operate.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card