FTD not accessing internet after migration

ethutchinson · ‎03-09-2022

We attempted to migrate from our ASA 5515xs this morning to FTDs. Needless to say when we tried to access the internet it was not available. We used the Cisco Migration tool and all settings (NATs, ACLs, interface settings, static routes, etc. ) seemed to come over fine. I restarted the switches connected to the dmz and inside interfaces to clear the arp cache in each. The inside interfaces are connected to my core switch so rebooting that can be rough. I did manage to clear the arp cache for the interfaces they were connected to. I also rebooted our fatpipe bandwidth aggregators which sit just outside our outside interface. Access to our inside network was working fine as far as ip configuration goes. The same IP addresses that were used on the ASA interfaces were being used on the FTD interfaces. I am being general on purpose. My consultant thinks it is a routing issue. I dont know what to think. I had to put the ASAs back into production.

Any suggestions would be welcome

Thanks

ethutchinson · ‎03-09-2022

I should also note the Anyconnect VPN authentications worked great but they could not access the inside network when connected. The ip address pool was the same as the one used by the ASAs. and now that the ASAs are backup VPN is working fine.

Rob Ingram · ‎03-09-2022

@ethutchinson so if anyconnect VPNs have successfully established, that proves inbound connectivity on the outside interface.

It possibly indicates a NAT issue for connectivity from inside to outside - check your NAT rules.

Check your ACP for traffic from inside to outisde.

If the AnyConnect clients cannot communicate with the internal network, check the routing on the FTD to ensure it can reach the internal networks, check NAT exemption rules and check your ACP to ensure traffic is explictly permitted.

It's going to be hard to troubleshoot if the FTD's are not in production, did you run packet-tracer to simulate traffic from in to out?

ethutchinson · ‎03-09-2022

Rob,

I am going to assume when you refer to ACP you mean Access Control Policy? Because there is no inside to outside line pointing to my ROLR there. It is in my NAT tables but not in my ACP.

Marvin Rhoads · ‎03-09-2022

I've used the Firepower Migration Tool several times and generally had good success with it.

Did you migrate to the already-registered FTD devices (via FMC) or did you just migrate policies to FMC and then later add the FTD? In the former case interfaces and routes would all be configured by the migration tool.

Since you should still have the FTD accessible via it's management interface you can check the routing config from the cli with "show running-config route".

ethutchinson · ‎03-09-2022

Marvin,

I have checked the routes on both FTDs and they are both correct with the same ROLR as the ASAs

ethutchinson · ‎03-09-2022

Marvin,

In answer to your first question we migrated to the FTDs which were already setup and licensed in the FMC.

ethutchinson · ‎03-10-2022

One of the things that also went wrong was the VPN connectivity not accessing my internal network when we cutover. So the consultant that is helping us had suggested setting up the FTDs up with different inside, dmz, and outside IP addresses so I can at least test the VPN connectivity of the new FTDs while the ASAs are still up. I have plenty of unused outside addresses to play with. So he setup a new pool of IP addresses and I can connect to this outside ip address using the AnyConnect client. It connects up just fine but I still cannot view my internal network. This is after he put the lines in my ACL to allow access to my internal network from the FTD VPN pool IPs. He wanted me to put a static route in our core switch to allow access to the new vpn pool he setup using the inside interface ip of the FTD as the gateway of the route. But still nothing.

Any ideas?

Rob Ingram · ‎03-11-2022

@ethutchinson if the VPN is established and you cannot access resources this is usually a missing NAT exemption rule or routing. Run packet-tracer this will provide a clue as to the issue.