cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2619
Views
0
Helpful
5
Replies

No Internet Access on Inside Interface FTD

Ionela.Onceru
Level 1
Level 1

Hi,

 

I have this configuration in GNS3 with FTD. I can't access Internet from the Inside interface and I can't figure why.

 

Could you please help me?

 

: Saved

:
: Serial Number: 9A2HWHFXJEA
: Hardware: ASAv, 8192 MB RAM, CPU Pentium II 2600 MHz, 1 CPU (4 cores)
:
NGFW Version 6.2.3
!
hostname firepower
enable password $sha512$5000$TXb2gmIfdxW9fOuH3v1nkg==$MdaH8/ZnLAccS0CtB0bjHg== pbkdf2
strong-encryption-disable
names

!
interface GigabitEthernet0/0
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.159.130 255.255.255.0
ipv6 address autoconfig
!
interface GigabitEthernet0/1
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.1.20 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
ftp mode passive
ngips conn-match vlan-id
object network InsideWebServer
host 192.168.159.200
object network MappedInsideWerServer
host 192.168.1.250
object network PC1
host 192.168.159.141
object network Gateway
host 192.168.1.1
object network OutsideIPv4DefaultRoute
subnet 0.0.0.0 0.0.0.0
object network OutsideIPv4Gateway
host 192.168.159.2
object network AIM_SERVERS-64.12.31.136
host 64.12.31.136
object network AIM_SERVERS-64.12.46.140
host 64.12.46.140
object network AIM_SERVERS-64.12.186.85
host 64.12.186.85
object network AIM_SERVERS-205.188.1.132
host 205.188.1.132
object network AIM_SERVERS-205.188.11.228
host 205.188.11.228
object network AIM_SERVERS-205.188.11.253
host 205.188.11.253
object network AIM_SERVERS-205.188.11.254
host 205.188.11.254
object network AIM_SERVERS-205.188.210.203
host 205.188.210.203
object network AIM_SERVERS-64.12.24.0-23
subnet 64.12.24.0 255.255.254.0
object network AIM_SERVERS-64.12.28.0-23
subnet 64.12.28.0 255.255.254.0
object network AIM_SERVERS-64.12.161.0-24
subnet 64.12.161.0 255.255.255.0
object network AIM_SERVERS-64.12.163.0-24
subnet 64.12.163.0 255.255.255.0
object network AIM_SERVERS-64.12.200.0-24
subnet 64.12.200.0 255.255.255.0
object network AIM_SERVERS-205.188.3.0-24
subnet 205.188.3.0 255.255.255.0
object network AIM_SERVERS-205.188.5.0-24
subnet 205.188.5.0 255.255.255.0
object network AIM_SERVERS-205.188.7.0-24
subnet 205.188.7.0 255.255.255.0
object network AIM_SERVERS-205.188.9.0-24
subnet 205.188.9.0 255.255.255.0
object network AIM_SERVERS-205.188.153.0-24
subnet 205.188.153.0 255.255.255.0
object network AIM_SERVERS-205.188.179.0-24
subnet 205.188.179.0 255.255.255.0
object network AIM_SERVERS-205.188.248.0-24
subnet 205.188.248.0 255.255.255.0
object network R1
host 192.168.1.30
object network R1_pub
host 192.168.159.141
object network INSIDE
subnet 192.168.1.0 255.255.255.0
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network NGFW-MGMT-IP
host 192.168.1.2
object network NGFW-MGMT-PUBLIC-IP
host 192.168.159.128
object-group network AIM_SERVERS
network-object object AIM_SERVERS-64.12.186.85
network-object object AIM_SERVERS-64.12.24.0-23
network-object object AIM_SERVERS-205.188.7.0-24
network-object object AIM_SERVERS-64.12.28.0-23
network-object object AIM_SERVERS-205.188.11.254
network-object object AIM_SERVERS-205.188.210.203
network-object object AIM_SERVERS-64.12.163.0-24
network-object object AIM_SERVERS-205.188.248.0-24
network-object object AIM_SERVERS-64.12.46.140
network-object object AIM_SERVERS-205.188.5.0-24
network-object object AIM_SERVERS-205.188.1.132
network-object object AIM_SERVERS-205.188.11.228
network-object object AIM_SERVERS-205.188.179.0-24
network-object object AIM_SERVERS-64.12.31.136
network-object object AIM_SERVERS-64.12.161.0-24
network-object object AIM_SERVERS-205.188.153.0-24
network-object object AIM_SERVERS-205.188.11.253
network-object object AIM_SERVERS-205.188.3.0-24
network-object object AIM_SERVERS-205.188.9.0-24
network-object object AIM_SERVERS-64.12.200.0-24
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L7 RULE: Permit_ICMP
access-list NGFW_ONBOX_ACL advanced permit ip ifc outside object any-ipv4 any rule-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L7 RULE: Drop Youtube
access-list NGFW_ONBOX_ACL advanced permit ip object PC1 any rule-id 268435462 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Inside_Outside
access-list NGFW_ONBOX_ACL advanced permit ip ifc inside any ifc outside any rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L7 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log flow-end
pager lines 23
logging enable
logging timestamp
logging console warnings
mtu outside 1500
mtu inside 1500
mtu diagnostic 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (any,outside) source dynamic any-ipv4 interface
access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 192.168.159.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
ip-client diagnostic
ip-client diagnostic ipv6
ip-client outside
ip-client outside ipv6
ip-client inside
ip-client inside ipv6
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 0
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 policy 100
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 policy 160
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
console timeout 0
dhcpd dns 8.8.8.8 4.2.2.2
!
dhcpd address 192.168.1.21-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
Cryptochecksum:3fbd692e646397c0878e7b56fa39f900
: end

5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni
Hi

First of all the ace below allowing anything from outside is useless in this case:

access-list NGFW_ONBOX_ACL advanced permit ip ifc outside object any-ipv4 any rule-id 268435464

Are you able to ping internet from the ftp lina cli (asa mode)? Or from clish?

Can you run the following command please:

packet-tracer input inside icmp 192.168.1.100 8 0 8.8.8.8

When you ping from a device, can you run the command show xlate on ftd to see if your traffic is natted?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I can ping 8.8.8.8 only from expert mode. When I run command "packet-tracer input inside icmp 192.168.1.100 8 0 8.8.8.8 " I receive this: Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.159.2 using egress ifc outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group NGFW_ONBOX_ACL global access-list NGFW_ONBOX_ACL advanced permit ip ifc inside any ifc outside any rule -id 268435463 access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_P olicy access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Inside_Outside Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (any,outside) source dynamic any-ipv4 interface Additional Information: Dynamic translate 192.168.1.100/0 to 192.168.159.130/58798 Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (any,outside) source dynamic any-ipv4 interface Additional Information: Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 21, packet dispatched to next module Phase: 12 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Config: Additional Information: Application: 'SNORT Inspect' Phase: 13 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP Session: new snort session AppID: service ICMP (3501), application unknown (0) Firewall: trust/fastpath rule, id 268435463, allow Snort id 1, NAP id 2, IPS id 0, Verdict WHITELIST Snort Verdict: (fast-forward) fast forward this flow Phase: 14 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.159.2 using egress ifc outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (no-adjacency) No valid adjacency When I ping from outside device to br1 ftd, and running show xlate in ftd I receive this: show xlate 3 in use, 4 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from outside:0.0.0.0/0 to any:0.0.0.0/0 flags sIT idle 0:18:03 timeout 0:00:00 TCP PAT from nlp_int_tap:169.254.1.2 22-22 to outside:192.168.159.130 22-22 flags sr idle 0:18:03 timeout 0:00:00 TCP PAT from nlp_int_tap:169.254.1.2 22-22 to inside:192.168.1.20 22-22 flags sr idle 0:18:03 timeout 0:00:00

I can ping 8.8.8.8 only from expert mode. When I run command "packet-tracer input inside icmp 192.168.1.100 8 0 8.8.8.8 " I receive this: Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.159.2 using egress ifc outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group NGFW_ONBOX_ACL global access-list NGFW_ONBOX_ACL advanced permit ip ifc inside any ifc outside any rule-id 268435463 access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Inside_Outside Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (any,outside) source dynamic any-ipv4 interface Additional Information: Dynamic translate 192.168.1.100/0 to 192.168.159.130/45283 Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (any,outside) source dynamic any-ipv4 interface Additional Information: Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 24, packet dispatched to next module Phase: 12 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Config: Additional Information: Application: 'SNORT Inspect' Phase: 13 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP Session: new snort session AppID: service ICMP (3501), application unknown (0) Firewall: trust/fastpath rule, id 268435463, allow Snort id 1, NAP id 2, IPS id 0, Verdict WHITELIST Snort Verdict: (fast-forward) fast forward this flow Phase: 14 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.159.2 using egress ifc outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (no-adjacency) No valid adjacency When I ping from outside device to br1 ftd, and running show xlate in ftd I receive this: 3 in use, 4 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from outside:0.0.0.0/0 to any:0.0.0.0/0 flags sIT idle 0:23:26 timeout 0:00:00 TCP PAT from nlp_int_tap:169.254.1.2 22-22 to outside:192.168.159.130 22-22 flags sr idle 0:23:26 timeout 0:00:00 TCP PAT from nlp_int_tap:169.254.1.2 22-22 to inside:192.168.1.20 22-22 flags sr idle 0:23:26 timeout 0:00:00

Sorry for the format, I can't make it to be more visible.

No pb. Next time attach a text file to be a bit more readable please).

From expert mode, you're not in the asa dataplane and the rest isn't relevant.

From your packet-tracer we see the following at the end:
Action: drop Drop-reason: (no-adjacency) No valid adjacency

Can you ping your outside next hop ip?
Can you share the output of show route?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card