03-29-2024 06:55 AM
Hi colleagues,
I have the following issue, I'm migrating from cisco ASA5510 to FRP1010e managed via FDM. The configuration is simple and I moved it to the new device(FRP1010e). I have configured one interface for OUTSIDE with public address and VLAN interface with assigned ipv4 inside address, on which I assigned other ports for internal communication, which ports are on "switched port" mode. When I switch the traffic from old ASA to the new FRP1010e, everything looks fine, the PC's in internal network have access to the Internet (outside) on determined ports. I have defined NAT and ACL rules but I cannot access them from outside. Interesting is that one of this services is accessible and works fine, all other services are configured exactly like the working one. I tried many scenarios but without success. Any ideas?
03-29-2024 07:29 AM
May be you need to post the config or do the troubleshoot.
outside to inside - what kind of NAT , Static NAT ?
all other services are configured exactly like the working one
Provide some example working and not working.
Look some example guide :
04-01-2024 11:46 PM
Hi,
I'm using static NAT. I'm attaching print screen of my NAT configurations.
This is the NAT of working service, where local.Demo4 is object with internal ipv4 address and ext_Demo4 is object with external ipv4 address.
This is the access list for working service
And these are identical NAT and ACL rules for other services which do not work.
03-29-2024 08:24 AM
Hi, IIRC, if you used the default NAT policy that FDM creates during bootstrapping, the rule uses (inside,any) and this rule maybe overriding your static NAT policies that you are configuring after the fact. Personally, I delete the (inside,any) rule and build more specific policies like (inside,outside).
Can you post a packet-tracer of the failing traffic? I usually run this from the LINA CLI
> system support diagnostic-cli
FPR1150> en
Password: (no password, just press enter)
FPR1150# packet-tracer input outside tcp 208.13.96.5 1099 191.2.2.2 443 detailed
Where 199.2.2.2 is your outside interface IP and 443 is the port you are forwarding or allowing.
Also, as I am sure you know, your ACL should allow the "real ip" (RFC-1918 internal IP) of the host your are natting to.
04-01-2024 11:55 PM
Hi,
I don't use default NAT policy and I cannot post packer-tracer of the failing traffic because the ports are in down state and the traffic is passing via ASA now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide