cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2147
Views
0
Helpful
3
Replies

FTD deployment Issue (unable to get internet traffic through Firewall)

jesus.valero
Level 1
Level 1
Hello, 
I'm deploying an FTD v6.6.5 created as native device in a Firepower 4110 appliance as replacement for an ASA5585 with Firepower Services, I have already added the FTD to the FMCv (v6.6.5) and migrated the ASA configuration using the Cisco Migration tool. I verified that all the interfaces were mapped and all licenses are in compliance. I had the ASA5585 up and running in the same FMCv but after the cutover I was unable to get internet traffic through the FTD. I confirmed that the interfaces (Inside, Outside and DMZ) were up and cleared the ARP tables on the switch where the Inside and DMZ interfaces are connected.
I don't know if I'm missing something after the migration, the report shows that all settings were migrated successfully, Ionly needed to configure the remote VPN manually
3 Replies 3

Eric R. Jones
Level 4
Level 4
Hello, we had the same issue when migrated from 5585's to 2130's.
We began creating a rule in the 2130 to allow all traffic regardless of
rules.
We didn't enable this rule right away.
We did a deploy of the original rule set and everything began working.
We never had to use the test rule.

I found this odd and still do.
Whenever we do an upgrade of the OS we have to make sure that all
deployments are done.
After the upgrade we have to another deployment of rules for everything to
take effect.

BmfL
Level 1
Level 1

NAT is proper configured? Static default route or dynamic route is in place?

Ping to ISP works? Ping outside internet to 8.8.8.8 works?

Like stated before did you check if ACP might be blocking the traffic? Maybe it did not migrate all ACP as expected.

Please provide more information on how your network is physically and logically setup (are you using portchannels, subinterfaces, what VLANs correspond to what interface, etc.)

And please check the following:

1. Make sure there are no outstanding deployments in the FMC

2. Make sure you have a Dynamic NAT configured from both Inside and DMZ interfaces towards the Outside interface

3. Make sure that logging is enabled for the ACP rules, and if / when it is enabled check Analysis > Connection Events to see if traffic is being blocked

4. If all the above looks fine, log into the FTD CLI and ping your ISP IP (default route IP), if that is successful, ping 8.8.8.8

5. If all these tests are successful go to the FTD CLI (at the > prompt) and issue the command system support trace

        Make sure to enable system support firewall-engine-debug when asked.

        Enter the source IP of a test PC you will use to generate traffic to the internet

        Enter the destination IP you are testing towards

        *** for all other fields just press enter ***

The last step should show if traffic is being dropped by either Snort or a firewall rule, if the traffic is reaching the firewall.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card