Solved: FTD Firepower 2110 Version 6.6.1 not passing traffic

jdelgado · ‎10-27-2020

Hello,

I have Firepower 2110, which is not passing traffice from the Inside interface to the Outside interface. I have run the packet tracer tool and it states that traffic should be passing normally. I have a static route. I am new to Firepower, and I think the issue may be related to the security levels. but unsure. I have been using pinging as a test and I have been trying to get to webpages also.

Public IP is redacted. But below is the Show Route and Show Run Interfaces output. Also attached is diagram of the issue. Please any and all help would be appreciated.

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is *.*.28.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via (*).(*).28.1, Outside
C 10.20.50.0 255.255.255.0 is directly connected, Inside
L 10.20.50.1 255.255.255.255 is directly connected, Inside
C (*).(*).28.0 255.255.255.224 is directly connected, Outside
L (*).(*).28.11 255.255.255.255 is directly connected, Outside

interface Ethernet1/1
nameif Outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address (*).(*).28.11 255.255.255.224
!
interface Ethernet1/2
nameif Inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.20.50.1 255.255.255.0

Aref Alsouqi · ‎10-28-2020

My bad, apologies, for some reason I had ASA in mind! In the NAT section, add a new rule:

NAT Rule: Auto NAT Rule

Type: Dynamic

Interface Objects: Src (Inside), Dst (Outside)

Translation - Original Source: Select your internal LAN object from the list, if you don't have it, click on the + button to add one

Translation - Translated Source: Destination Interface IP

View solution in original post

Rob Ingram · ‎10-28-2020

Hi @jdelgado

Are you using FDM or FMC to manage this device?

Can you ping the internet from the FTD itself?

Do you have NAT configured correctly for outbound traffic from the inside network(s)? Provide the output of "show nat detail".

How have you configured your Access Control Policy (ACP)? Please provide a screenshot

Provide the output of packet-tracer so we can analyse.

jdelgado · ‎10-28-2020

Hey, Rob Thank you for responding,

Are you using FDM or FMC to manage this device? FMC

Can you ping the internet from the FTD itself? Yes I can Ping 8.8.8.8

Do you have NAT configured correctly for outbound traffic from the inside network(s)? Provide the output of "show nat detail".

> show nat detail
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static any interface destination static interface outside2
translate_hits = 8, untranslate_hits = 8
Source - Origin: 0.0.0.0/0, Translated: 64.16.28.11/27
Destination - Origin: 10.20.50.1/24, Translated: 64.16.28.11/3

How have you configured your Access Control Policy (ACP)?

Aref Alsouqi · ‎10-28-2020

Try please to remove that NAT rule and replace it with:

nat (inside,outside) after-auto source dynamic any interface

jdelgado · ‎10-28-2020

I know how to apply the command in an ASA but how would I apply it in the FMC?

Aref Alsouqi · ‎10-28-2020