Unable to Route LAN Traffic Through Firepower2110

mlong0000 · ‎05-12-2021

Hi,

I'm having a problem routing LAN traffic out through the firewall. I've read the multiple posts with the same problem but their solutions have not worked for me.

Traffic flow is
Internet - Cisco ME3400 - Firepower2110 (ASA) - Switch - PC

Network diagram below

The ME3400 and the firewall can ping the internet (8.8.8.8)
If I assign the firewall outside address (86.x.x.2) to my laptop and plug it into the ME3400 I can access the internet.

But the switch on the 10 subnet cannot access the internet with ping, www or any service.

ME3400 Config
interface GigabitEthernet0/3
description To Firewall
switchport access vlan 200
!
interface GigabitEthernet0/9
description To Internet
switchport access vlan 10
!
interface Vlan10
description Internet IP
ip address 213.x.x.2 255.255.255.252
!
interface Vlan200
description RIPE Address
ip address 86.x.x.1 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 213.x.x.1

FP2110 Config
interface Ethernet1/1
nameif outside
security-level 0
ip address 86.x.x.2 255.255.255.252
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 10.x.x.1 255.255.255.0
!
object network LAN
subnet 10.x.x.0 255.255.255.0
!
object network LAN
nat (inside,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 86.x.x.1 1

The packet trace also looks ok
ciscoasa# packet-tracer input inside icmp 10.x.x.50 8 0 8.8.8.8

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 86.x.x.1 using egress ifc outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.x.x.50/0 to 86.x.x.2/36571

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 87684, packet dispatched to next module

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.x.x.50/0 to 86.x.x.2/36571

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 86.x.x.1 using egress ifc outside

Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address xxxx.xxxx.xxxx hits 26872 reference 543

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Clients on the switch can ping the inside address of the firewall (10.x.x.1) but cannot get past there i.e. ping 8.8.8.8

I thought I had things covered with the object NAT and route outside but no joy. Can someone see what the problem is?

Thanks

mlong0000 · ‎05-13-2021

I tried changing the NAT address presented to 86.x.x.2 which is on the ME3400. It's not right but wanted to see what would happen.

object network LAN
nat (inside,outside) dynamic 86.x.x.2

Didn't make any difference though.