Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2365
Views
5
Helpful
7
Replies

FTD and policy based routing

Chess Norris
Level 4
Level 4

‎09-08-2022 12:54 AM

Hello,

We have a FTD running version 7.0.2 and use PBR based on source networks and route the traffic to different gateways.

It work great for outbound traffic, but we also publish a server on the internet and for some reason PBR don't work and we cannot reach the server. Instead the return traffic is using the default gateway and not the one specified in the route map.

Both the inside and the outside interface are included in the PBR and the ACL that we use for the outside interface, have source any and the the server address on the inside as destination. I also tried to put the translated address as destination, but that didn't help either.

Here's some of the output  from the packet-tracer, where we can se it uses the wrong interface and therefore get dropped.

Phase: 7
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
Input route lookup returned ifc Outside is not same as existing ifc Outside2

Result:
input-interface: Inside_2(vrfid:0)
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000055ce0b4fd15c flow (NA)/NA

Any ideas on what could be wrong?

Thanks

/Chess

 

 

7 Replies 7

MHM Cisco World
VIP
VIP

‎09-08-2022 04:15 AM

share the NAT you use in FTD 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-08-2022 05:18 AM

As @MHM Cisco World is implying, your NAT rule is the most likely culprit. If the server's static NAT is on the outside interface (vs. Outside2), then it won't work.

0 Helpful

dbogdan
Level 1
Level 1

‎09-12-2022 07:40 AM

I have the same issue.  I am using dynamic NAT to two different ISPs.  The Nat statements are in the order of the Outside, then Ourside2.  It never thakes that path even by deleting the route to the outside interface gateway

0 Helpful

dbogdan
Level 1
Level 1
In response to dbogdan

‎09-12-2022 07:42 AM

here's my nat statements:

 


nat (Inside,Outside) after-auto source dynamic Any_Any interface destination static Any_Any Any_Any
nat (Inside,Micronova) after-auto source dynamic Any_Any interface destination static Any_Any Any_Any

0 Helpful

dbogdan
Level 1
Level 1
In response to dbogdan

‎09-12-2022 07:44 AM

Also adding that this setup works perfectly on an ASA configured like an ASA, not as an FTD.

0 Helpful

dbogdan
Level 1
Level 1

‎09-12-2022 11:04 AM

The solution is a follows:

1. do not add both interfaces in the same zone.  create an Outside zone and an Outside 2 zone.

2. set up autonat twice.  One for using two different object names that are 0.0.0.0/0 (any)

example:

object network Any_Any
nat (Inside,Outside) dynamic interface
object network any4
nat (Inside,Outside2) dynamic interface

0 Helpful

alirafaleiro
Level 1
Level 1

‎09-13-2022 02:42 AM - edited ‎09-29-2022 01:30 AM

Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features.

The Policy-Based Routing feature is a process whereby a device puts packets through a route map before routing the packets. The route map determines which packets are routed next to which device. Policy-based routing is a more flexible mechanism for routing packets than destination routing.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card