09-08-2022 12:54 AM
Hello,
We have a FTD running version 7.0.2 and use PBR based on source networks and route the traffic to different gateways.
It work great for outbound traffic, but we also publish a server on the internet and for some reason PBR don't work and we cannot reach the server. Instead the return traffic is using the default gateway and not the one specified in the route map.
Both the inside and the outside interface are included in the PBR and the ACL that we use for the outside interface, have source any and the the server address on the inside as destination. I also tried to put the translated address as destination, but that didn't help either.
Here's some of the output from the packet-tracer, where we can se it uses the wrong interface and therefore get dropped.
Phase: 7
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
Input route lookup returned ifc Outside is not same as existing ifc Outside2
Result:
input-interface: Inside_2(vrfid:0)
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000055ce0b4fd15c flow (NA)/NA
Any ideas on what could be wrong?
Thanks
/Chess
09-08-2022 04:15 AM
share the NAT you use in FTD
09-08-2022 05:18 AM
As @MHM Cisco World is implying, your NAT rule is the most likely culprit. If the server's static NAT is on the outside interface (vs. Outside2), then it won't work.
09-12-2022 07:40 AM
I have the same issue. I am using dynamic NAT to two different ISPs. The Nat statements are in the order of the Outside, then Ourside2. It never thakes that path even by deleting the route to the outside interface gateway
09-12-2022 07:42 AM
here's my nat statements:
nat (Inside,Outside) after-auto source dynamic Any_Any interface destination static Any_Any Any_Any
nat (Inside,Micronova) after-auto source dynamic Any_Any interface destination static Any_Any Any_Any
09-12-2022 07:44 AM
Also adding that this setup works perfectly on an ASA configured like an ASA, not as an FTD.
09-12-2022 11:04 AM
The solution is a follows:
1. do not add both interfaces in the same zone. create an Outside zone and an Outside 2 zone.
2. set up autonat twice. One for using two different object names that are 0.0.0.0/0 (any)
example:
object network Any_Any
nat (Inside,Outside) dynamic interface
object network any4
nat (Inside,Outside2) dynamic interface
09-13-2022 02:42 AM - edited 09-29-2022 01:30 AM
Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features.
The Policy-Based Routing feature is a process whereby a device puts packets through a route map before routing the packets. The route map determines which packets are routed next to which device. Policy-based routing is a more flexible mechanism for routing packets than destination routing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide