Solved: No internet behind FTD

san4ez39 · ‎07-04-2021

Hi,

i have this setup. Router -> FTD -> Switch -> PC.

Router sample config:

interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
media-type rj45
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

ip ssh version 2
ip access-list standard 1
10 permit 192.168.1.0 0.0.0.255

On router interface Gi0/0/0 is connected to ISP, receives DHCP address.

Interface Gi0/1/0 is connected to FTD Port 1.

FTD port 1 has IP of 192.168.1.2 and FDM shows me that ISP, Gateway, DNS and Cloud services are reachable. I can ping everything, receive updates and have registered devices.

I had to add static route on FTD.

0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside - only after this - FTD could "see" outside.

On Port 2 of FTD i left it without IP address and configured 4 sub-interfaces (LAN, MGMT, Guest and Surveillance). All interfaces are in routed mode. Also disabled VLAN1 on FTD. There are no NAT rules at the moment on FTD.

I configured switch - made 4 VLAN's, VLAN ID's are correct on switch and FTD. Connected port 1 of the switch with trunk port (switchport trunk allowed vlan 5,10,11,200) to FTD Port 2 and connected PC to switch port 2 and access mode with VLAN for LAN. (switchport access vlan 10
switchport mode access).

My PC does receive IP address from DHCP on FTD, but the problem is that PC does not have internet at all.

I can ping gateway (FTD one of the sub-interfaces), but that is all. Tried to add NAT rules in FTD, but it did not helped. i think i did not made some configuration in routing (on FTD) or my NAT rules are bad (on FTD).

Can someone give me a clue where my configuration is incorrect? I need to use all the devices (router, ftd, switch).

Thank you.

balaji.bandi · ‎07-04-2021

You need to Add ACL in the Router to do NAT.

Also, you need a Static route back to FTD Interface for those IP addresses from the router.

Example :

IP route 192.168.10.0 255.255.255.0 192.168.1.2 ( FTD IP address) - you need to add the rest of the IP range same like this to work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎07-04-2021

I may be missing some information here, you have DHCP Setup to get IP address from ISP, what Address you get from ISP ? 192.168.1.X or any Public IP address ?

You have only NAT for below IP address :

ip access-list standard 1
10 permit 192.168.1.0 0.0.0.255

20 permit 192.168.5.0 0.0.0.255

30 permit 192.168.10.0 0.0.0.255

40 permit 192.168.11.0 0.0.0.255

50 permit 192.168.200.0 0.0.0.255

we do not see your access policy here, Hope you have ACL allowed Inside to outside any?

Hope switch is acting as Layer 2 switch right ? what IP address PC or user device get ?

Lets start with basic setup see Internet work before adding additional VLAN and stuff :

https://www.petenetlive.com/KB/Article/0001678

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

san4ez39 · ‎07-04-2021

Router receive public IP address from ISP.

DHCP for vlans are configured on FTD device per network.

Yes, switch acts only as layer 2.

Computer receives IP adress from FTD DHCP for LAN

it will be 192.168.10.0/24

you mean ACL on FTD device?

i have not added below IP ranges for NAT in router:

ip access-list standard 1
10 permit 192.168.1.0 0.0.0.255

20 permit 192.168.5.0 0.0.0.255

30 permit 192.168.10.0 0.0.0.255

40 permit 192.168.11.0 0.0.0.255

50 permit 192.168.200.0 0.0.0.255

i have only one network here in my router config:

10 permit 192.168.1.0 0.0.0.255

Richard Burts · ‎07-04-2021

Yes the acl for nat on the router has only a single permit. Assuming that I correctly understand that there is not address translation on the FTD then you need to add these other permit statements to the router acl.

HTH

Rick

balaji.bandi · ‎07-04-2021

You need to Add ACL in the Router to do NAT.

Also, you need a Static route back to FTD Interface for those IP addresses from the router.

Example :

IP route 192.168.10.0 255.255.255.0 192.168.1.2 ( FTD IP address) - you need to add the rest of the IP range same like this to work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

san4ez39 · ‎07-04-2021

Hi,

So i have this done in router:

interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
no ip http server
no ip http secure-server
no ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 192.168.5.0 255.255.255.0 192.168.1.2 name MGMT
ip route 192.168.10.0 255.255.255.0 192.168.1.2 name LAN
ip route 192.168.11.0 255.255.255.0 192.168.1.2 name Kameros
ip route 192.168.200.0 255.255.255.0 192.168.1.2 name Guest
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
logging trap notifications
logging origin-id hostname
logging facility syslog
ip access-list standard 1
10 permit 192.168.1.0 0.0.0.255
20 permit 192.168.10.0 0.0.0.255
30 permit 192.168.5.0 0.0.0.255
40 permit 192.168.11.0 0.0.0.255
50 permit 192.168.200.0 0.0.0.255

checked if i had any NAT rules - there are none NAT rules in FTD.

Computer, that is connected to switch Gi1/0/1 - receive IP address from LAN subnet, but still - no internet

I am still missing somewhere an route or something..

this are routes that are in FTD:

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

C 192.168.1.0 255.255.255.0 is directly connected, outside

L 192.168.1.2 255.255.255.255 is directly connected, outside

C 192.168.5.0 255.255.255.0 is directly connected, mgmt

L 192.168.5.254 255.255.255.255 is directly connected, mgmt

C 192.168.10.0 255.255.255.0 is directly connected, lan

L 192.168.10.254 255.255.255.255 is directly connected, lan

C 192.168.11.0 255.255.255.0 is directly connected, kameors

L 192.168.11.254 255.255.255.255 is directly connected, kameors

C 192.168.200.0 255.255.255.0 is directly connected, guest

L 192.168.200.254 255.255.255.255 is directly connected, guest

san4ez39 · ‎07-04-2021

I have found the problem.. it was on FTD.

i had security intelligence dropping all connection on all networks. Removed few rules - and everything is working.

Thank you for your help.

balaji.bandi · ‎07-05-2021

Glad to know our suggestions helped, as i stated in the frst post also look at FTD any rulles, Good you figure out the Policy was wrong.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

EfremEmbaye25038 · ‎01-07-2023

@san4ez39, how did you remove the Security intelligence rules? Can you please shade a light?

Thank you

san4ez39 · ‎01-09-2023

Hi,

it is hard to recollect now what i had precisely did.. But in SI you have 2 tabs network and URL.

There you have blocked and allowed list. So my allow list is networks that done in FTD (internal VLANS etc.), none of my Netrwork object are in black list. And in blacklist - all wrong thing like bots, malware etc.

What you have there in your configuration?