Solved: New network segment can´t go to internet in FTD (Managed by FMC)

filiberto.aguirre · ‎04-11-2021

Hi,

we have a FMC ver 6.3.0.3 and FTD 5516-x both have been working
Currently FTD is working with 4 interfaces (outside,outside2,inside,LAN-B,LAN-c). LAN-B and LAN-C are the new interfaces

For hosts the default gateway is a router that also hande MPLS connections to others sites.
FTD interfaces are connected to swicht core , and the the MPLS router (sub interfaces were set) is conected to switch core also via trunk port that allow differents vlans including the new vlan for new network segment.

The problem that we have is that new networks segment can't reach internet when default gateway is the MPLS router, hosts just reach local traffic and sites connected with MPLS. Only host that are in inside zone (172.16.190.X) can reach all the traffic required (local, to others sites, internet) . The default route in MPLS router is the INSIDE interface of FTD ( 172.16.190.251).

For the moment in order to allow traffic to internet for hosts in new network segment (172.16.237.0/24 and 172.16.238.9/24) when MPLS router is defult gateway is to set in the hosts (laptops) a static route pointing to FTD interface.

For new network segment were set ACP, NAT, etc. If we set FTD as default gateway for both new network segment they can go to internet

Any suggestion fot this issue?

Marvin Rhoads · ‎04-13-2021

So original network hosts have default gateway as router and router send their internet-bound traffic to FTD using which address? If it is the original network then I could see that as a problem since the return traffic would see that FTD has a connected interface in the destination subnet and would thus not send the traffic back via the MPLS router ..and thus have asymmetric routing.

View solution in original post

Marvin Rhoads · ‎04-11-2021

Does your FTD have a route back to the MPLS router for your new network segments (subnets)?

filiberto.aguirre · ‎04-11-2021

Hi marvin,

Thanks a lot for your quick response.

I have some static route that point to MPLS router to reach other sites. and the default route to internet.

Default router has subinterfaces for the new network segments.

I attach screen shots for interfaces and statics routes.

The route back to new network segment, ?? not clear for me. FTD has physical interaces in new network segments.

regards

Marvin Rhoads · ‎04-13-2021

So original network hosts have default gateway as router and router send their internet-bound traffic to FTD using which address? If it is the original network then I could see that as a problem since the return traffic would see that FTD has a connected interface in the destination subnet and would thus not send the traffic back via the MPLS router ..and thus have asymmetric routing.

filiberto.aguirre · ‎04-17-2021

Hi Marvin,

Taking into account your comments about asymmetric routing we changed severals config on FTD.

- we removed ip address (for new network segments) in the FTD's interfaces

- we add statics routes in FTD to reach new network segments by MPLS router.

also change NAT in FTD (removed new zones and set original zone) , and change also the zone in the rule for traffic to internet in ACP.

with these changes the traffic to internet from new network segments go successfully

thanks for your comments

Marvin Rhoads · ‎04-18-2021

Great - thanks for letting us know that was indeed the issue.