Re: FPR1010 initial configuration

fbeye · ‎03-13-2022

Hello

So, I wanted to figure something out here.

Currently I have an ASA-5508-X w/ Static WAN IP. I have PAT to LAN 192.168.1.0 Subnet which connects to L2 Switch.. Plug N' Play in a sense. Whatever I plug it, it has always grabbed it's unique IP address and obtains it's DNS and Gateway.

It's wonderful.

So, I received the FPR1010 and dear god it looks so beautiful and sleek...and small.

I wait an hour for it to boot just to let whatever happens happen.

Upon boot, I set up l/p/ftd etc. At first I made MGMT port 192.168.1.67 just to have it accessible on LAN to configure. I set up DHCP on GE1 and it obtains an IP! I manually set DNS 8.8.8.8,8.8.4.4. I also change vlan1 to 192.168.2.0 as to have no conflicts.

Nothing I do will allow it to 'not' say "Gateway cannot be reached through port Ethernet1/1"

I then thought, well maybe MGMT IP should not be same as 'outside' so I changed MGMT to 192.168.5.5, and had same results.

I then said, let me try PPPoE like my ASA-5508-X is. I set it to PPPoE, put in, best I could, same as ASA and still it will not reach the gateway.

I have read some google results but apparently they got theirs fixed by doing what I had already done.

Also it seems some of the CLI commands I am used to do not work, so I have not posted any configs, yet.

Rob Ingram · ‎03-13-2022

@fbeye from the CLI of the FTD can you ping the next hop gateway (router) and an IP address on the ineternet (8.8.8.8)?

Provide the output of "show run interface", "show route" and "show nat detail".

What version of FTD are you running?

fbeye · ‎03-13-2022

show running-config interface"
!
interface Vlan1
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address dhcp setroute
!
interface Ethernet1/2
switchport
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address

---------------

Gateway of last resort is 192.168.5.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.5.1, outside
C 192.168.5.0 255.255.255.0 is directly connected, outside
L 192.168.5.9 255.255.255.255 is directly connected, outside

--------------------

show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any-ipv4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.5.9/24

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface service tcp https https
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24
Service - Protocol: tcp Real: https Mapped: https
2 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 0.0.0.0/32
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24
4 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 192.168.5.9/24
5 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
7 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:

------------------

show version
-------------------[ firepower ]--------------------
Model : Cisco Firepower 1010 Threat Defense (78) Version 6.6.1 (Build 91)
UUID : 06c03b88-a2e4-11ec-b382-e2c50361175d
Rules update version : 2020-08-18-001-vrt
VDB version : 336
----------------------------------------------------

ping 8.8.8.8
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
> ping 192.168.5.1
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Rob Ingram · ‎03-13-2022

@fbeye ok but what about the other questions I asked, can you ping the next hop gateway? Can you ping the internet?

Have you created Access Control rules to permit traffic from inside to outside?

fbeye · ‎03-13-2022

I have not... 100% of every Cisco documentation said nothing of this. Like literally, it suggests it should grab an IP DHCP and bam, online.

I modified my initial response with more info.... So if you could look at it.

fbeye · ‎03-13-2022

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1010/firepower-1010-gsg/ftd-fdm.html#id_82126

I get to the "open gui" and from the start I can not get anything out.

fbeye · ‎03-13-2022

I can PING the next hop gateway, but nothing beyond.

I find this weird cause 100% of everything else that connects via DHCP has 0 issues seeing the world.

Rob Ingram · ‎03-13-2022

@fbeye well if you cannot ping anything on the internet, you should troubleshoot on your router.

fbeye · ‎03-13-2022

I don't follow, what would I troubleshoot?

I plug a PC in and it grabs ip, dns and gateway? As do every other device I install. I plug an xbox in, it does the same.

fbeye · ‎03-13-2022

I bypassed the Switch and went directly from FPR1010 to ASA-5508 and put in an IP from [ASA] vlan1 192.168.5.9.

I can PING 192.168.5.1 (ASA Subnet) but still no Internet. So unless something on the FPR is invalid, both my Switch and ASA have issues. But, just with the FPR.

Rob Ingram · ‎03-13-2022

@fbeye so the 1010 is directly behind the ASA? With the ASA as 192.168.5.1?

Have you permitted ICMP return traffic on the ASA? Either use an ACL or enable ICMP inspection with the command fixup protocol icmp.

Have you configured NAT on the ASA for the 192.168.5.0/24 network.

fbeye · ‎03-13-2022

Yes to both.

I even went as far as eliminating EVERYTHING and going directly from GE1/1 on FPR to my DSL Router (which is in bridge) and set up PPPoE on FPR and still same.

Gateway cannot be reached through port Ethernet1/1 named “outside"

fbeye · ‎03-13-2022

I just don’t know to what end I stop troubleshooting “my” end. As mentioned, 5508-X works PPPoE just fine. Every device on LAN side auto connects and all is well.
I mean is there a possibility the device itself is just corrupt?

fbeye · ‎03-13-2022

Yeah I think it's the FPR

I mean there are so many odd and weird things;

During bootup-

Mar 13 22:23:23 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][critical][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install

Mar 13 22:24:52 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][cleared][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install

and when I make changes via webgui-

> Error: While opening file
Error: While opening file