06-16-2023 02:29 AM
I'm a beginner to the firewall configuration using a new FPR 1010. I can't make inside network connect to the internet, except I can ping the ISP gateway ! Is this mean ingress is being blocked?
Attempting TCP_Bypass always failed deployment with these warnings.
WARNING: Pool (0.0.0.0) overlap with existing pool.
WARNING: Pool (0.0.0.0) overlap with existing pool.
WARNING: All traffic destined to the IP address of the outside interface is being redirected
WARNING: Users may not be able to access any service enabled on the outside interface
WARNING: Pool (0.0.0.0) overlap with existing pool.
Here is packet-tracer https bypass cmd result. Is there any common policy that block by default? Am I missed something?
firepower# packet-tracer input inside tcp 10.10.10.1 https 20X.XXX.XXX.XXX https bypass-checks
Phase: 1
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface
Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000056082f3d9311 flow (NA)/NA
I will post show running-config later.
Solved! Go to Solution.
06-16-2023 02:49 AM - edited 06-16-2023 02:51 AM
you need o NATing from private to public IP.
You need defualt route also
06-19-2023 11:14 PM
Thank you for your guidance. It turns out that it is the NAT. The issue is resolved. Here is what I did, just want to share with other beginners.
NAT Rule (Before Auto) - MANUAL STATIC
inside > outside
Original Source Address: dmz-network-192.168.1.0-30
Original Destination Address: any-ipv4
Translated Source Address: Interface
Translated Destination Address: any-ipv4
For Routing: Static Routing
Network 192.168.2.0/30 - Gateway: 192.168.1.1 (And this 192.168.1.1 will be the WAN of the router)
Network 0.0.0.0/24 - Gateway: 2XX.XXX.XXX.241 (gateway provided by ISP)
Interfaces on the Firewall:
Outside Interface: 2XX.XXX.XXX.246 (IP provided by ISP)
Inside (DMZ) Interface: 192.168.1.2
06-16-2023 02:49 AM - edited 06-16-2023 02:51 AM
you need o NATing from private to public IP.
You need defualt route also
06-19-2023 11:14 PM
Thank you for your guidance. It turns out that it is the NAT. The issue is resolved. Here is what I did, just want to share with other beginners.
NAT Rule (Before Auto) - MANUAL STATIC
inside > outside
Original Source Address: dmz-network-192.168.1.0-30
Original Destination Address: any-ipv4
Translated Source Address: Interface
Translated Destination Address: any-ipv4
For Routing: Static Routing
Network 192.168.2.0/30 - Gateway: 192.168.1.1 (And this 192.168.1.1 will be the WAN of the router)
Network 0.0.0.0/24 - Gateway: 2XX.XXX.XXX.241 (gateway provided by ISP)
Interfaces on the Firewall:
Outside Interface: 2XX.XXX.XXX.246 (IP provided by ISP)
Inside (DMZ) Interface: 192.168.1.2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide