Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
0
Helpful
1
Replies

FTDv in AWS: no connectivity

Laszlo Stomp
Level 1
Level 1

‎02-08-2017 09:43 AM - edited ‎03-10-2019 06:46 AM

Hi all,

I am hoping for some guidance on the FTDv on AWS image.

I have managed to image the FMCv and FTDv and connect the sensor to the management center. I've added an Access Control rule-set which is very basic, allow any traffic from the inside network to my outside network and NAT it against the outside interface.

However, when I redirect one of the Windows servers to use the FTDv as the default gateway, I can't make any connection through it, meaning that under Analysis > Connections > Events, I cannot see any connectivity event.

When I do a system support diagnostic-cli on the FTDv CLI, I can see the ARP entry of the Windows machine.

firepower# show arp
Outside 10.222.100.1 0a8f.e05b.3de3 50
Inside 10.222.10.1 0abd.ee7d.4f89 50
Inside 10.222.10.101 0af2.4c59.af6f 2079  >>> Windows machine

firepower# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.222.100.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 10.222.100.1, Outside
C 10.222.10.0 255.255.255.0 is directly connected, Inside
L 10.222.10.250 255.255.255.255 is directly connected, Inside
C 10.222.100.0 255.255.255.0 is directly connected, Outside
L 10.222.100.250 255.255.255.255 is directly connected, Outside

On the CLI, I can see that the connectivity is shown:

UDP Inside: 10.222.10.101/49409 Outside: 8.8.8.8/53,
flags h N, idle 1m50s, uptime 1m57s, timeout 2m0s, bytes 102, xlate id 0x7fbd8ad787c0

Judging from the flags, the connection is inspected by Snort, yet, the FMCv shows no connectivity events and my VM cannot connect.

firepower# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.222.100.184 YES manual up up
GigabitEthernet0/1 10.222.10.250 YES CONFIG up up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 unassigned YES DHCP up up

Also, packet tracer is evaluating the traffic as allowed:

Result:
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Last but not least, I did the needful and have an allow-all security group on every NIC that is assigned to FTDv, and the source/dest IP checks have been disabled.

Any help from those who use FTD on AWS is very much appreciated.

Labels:
0 Helpful
1 Reply 1

syeda3
Level 1
Level 1

‎02-09-2017 05:48 AM

Please see the below url for quick guide which might be helpful.

http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/aws/ftdv-aws-qsg.html

Hope to help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card