10-27-2020 04:09 PM
Hello,
I have Firepower 2110, which is not passing traffice from the Inside interface to the Outside interface. I have run the packet tracer tool and it states that traffic should be passing normally. I have a static route. I am new to Firepower, and I think the issue may be related to the security levels. but unsure. I have been using pinging as a test and I have been trying to get to webpages also.
Public IP is redacted. But below is the Show Route and Show Run Interfaces output. Also attached is diagram of the issue. Please any and all help would be appreciated.
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is *.*.28.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via (*).(*).28.1, Outside
C 10.20.50.0 255.255.255.0 is directly connected, Inside
L 10.20.50.1 255.255.255.255 is directly connected, Inside
C (*).(*).28.0 255.255.255.224 is directly connected, Outside
L (*).(*).28.11 255.255.255.255 is directly connected, Outside
interface Ethernet1/1
nameif Outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address (*).(*).28.11 255.255.255.224
!
interface Ethernet1/2
nameif Inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.20.50.1 255.255.255.0
Solved! Go to Solution.
10-28-2020 12:54 PM
My bad, apologies, for some reason I had ASA in mind! In the NAT section, add a new rule:
NAT Rule: Auto NAT Rule
Type: Dynamic
Interface Objects: Src (Inside), Dst (Outside)
Translation - Original Source: Select your internal LAN object from the list, if you don't have it, click on the + button to add one
Translation - Translated Source: Destination Interface IP
10-28-2020 01:02 AM - edited 10-28-2020 01:03 AM
Hi @jdelgado
Are you using FDM or FMC to manage this device?
Can you ping the internet from the FTD itself?
Do you have NAT configured correctly for outbound traffic from the inside network(s)? Provide the output of "show nat detail".
How have you configured your Access Control Policy (ACP)? Please provide a screenshot
Provide the output of packet-tracer so we can analyse.
10-28-2020 11:44 AM
Hey, Rob Thank you for responding,
Are you using FDM or FMC to manage this device? FMC
Can you ping the internet from the FTD itself? Yes I can Ping 8.8.8.8
Do you have NAT configured correctly for outbound traffic from the inside network(s)? Provide the output of "show nat detail".
> show nat detail
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static any interface destination static interface outside2
translate_hits = 8, untranslate_hits = 8
Source - Origin: 0.0.0.0/0, Translated: 64.16.28.11/27
Destination - Origin: 10.20.50.1/24, Translated: 64.16.28.11/3
How have you configured your Access Control Policy (ACP)?
10-28-2020 12:13 PM
Try please to remove that NAT rule and replace it with:
nat (inside,outside) after-auto source dynamic any interface
10-28-2020 12:30 PM
I know how to apply the command in an ASA but how would I apply it in the FMC?
10-28-2020 12:54 PM
My bad, apologies, for some reason I had ASA in mind! In the NAT section, add a new rule:
NAT Rule: Auto NAT Rule
Type: Dynamic
Interface Objects: Src (Inside), Dst (Outside)
Translation - Original Source: Select your internal LAN object from the list, if you don't have it, click on the + button to add one
Translation - Translated Source: Destination Interface IP
10-28-2020 01:14 PM
It works!! Thank you, Thank You
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide