07-29-2019 07:57 AM - edited 02-21-2020 09:21 AM
hi,
i'm initially configuring an FTD (on an ASA5515-X) and set the 'outside' g0/0 to get DHCP from ISP.
the FTD g0/0 port is green/active and it correctly gets IP via DHCP (from fiber ONT) when i check via CLI.
but the connection diagram on the device summary shows a 'gray' line or the ISP/WAN/gateway to internet is down.
> show interface GigabitEthernet 0/0
Interface GigabitEthernet0/0 "outside", is up, line protocol is up <<<
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address b0fa.eb97.72cc, MTU 1500
IP address 222.164.10.189, subnet mask 255.255.254.0 <<<
415741 packets input, 27314861 bytes, 0 no buffer
Received 396234 broadcasts, 0 runts, 0 giants
5 input errors, 5 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
302 packets output, 121222 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 22 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (485/456)
output queue (blocks free curr/low): hardware (511/508)
Traffic Statistics for "outside":
413760 packets input, 19690501 bytes
197 packets output, 53516 bytes
17863 packets dropped
1 minute input rate 361 pkts/sec, 17102 bytes/sec
1 minute output rate 0 pkts/sec, 1 bytes/sec
1 minute drop rate, 13 pkts/sec
5 minute input rate 379 pkts/sec, 17956 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 14 pkts/sec
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 222.164.10.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 222.164.10.1, outside <<<
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
C 222.164.10.0 255.255.254.0 is directly connected, outside
L 222.164.10.189 255.255.255.255 is directly connected, outside
> ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
i noticed there's no static default route and when i tried to manually configure a static default route, the ISP/WAN is still gray/down and can't do any updates to cisco cloud (geolocation, SI, etc.)
not sure if there's an option in FTD interface like in ASA to auto obtain an ISP default route:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute <<<
any guidance is highly appreciated. see attached photos.
Solved! Go to Solution.
07-29-2019 10:50 AM
Does your management interface have Internet connectivity? That will be necessary for the Cisco updates and for the connection to show as fully functional.
07-29-2019 10:50 AM
Does your management interface have Internet connectivity? That will be necessary for the Cisco updates and for the connection to show as fully functional.
07-29-2019 06:29 PM
hi marvin,
my laptop is directly connected to the FTD MGMT port.
will plug the MGMT and PC on a switch and have them routed over the internet.
is there an option or command to force the FTD to get cloud updates via its WAN/outside interface?
07-29-2019 08:50 PM - edited 07-29-2019 08:55 PM
The originating source of the cloud updates will always be the FTD appliance's designated management interface. Those requests may be routed through / NATted to the outside interface but they will not be initiated from it.
For a comprehensive treatment of this subject I recommend the "Cisco Firepower Threat Defense (FTD)" book (Chapter 6) by @Nazmul Rajib
07-29-2019 09:42 PM - edited 07-29-2019 09:42 PM
hi marvin,
i already got a copy of that book. will do more FTD labs and reading :)
07-31-2019 03:52 AM
07-31-2019 07:07 AM
Cool. With your 5515-X you can run 6.4 and play with a few more features. My home lab physical appliance is a 5506-X so I am limited to 6.2.3.x.
I was just thinking today that I need to add a locally managed FTDv so that I can run 6.4 and manage with FDM. My current FTDv is managed by my FMC.
07-31-2019 11:14 PM
hi marvin,
i'm just curious, what are some of the "new" features added in FTD 6.4 (compared to 6.2.3)?
any link you can share?
08-01-2019 05:23 AM
6.3 FDM adds:
6.4 adds:
Some highlights:
CoA for VPN (via ISE integration)
FQDN objects in Access Control Policies
API updated to include a lot more features (API v3)
Integration with CTR
CA-issued certificate for FDM
Faster deployments
...and much more
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide