cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
648
Views
3
Helpful
14
Replies

No WAN Access on FPR through ISR [LAN works fine among vlans]

TheGoob
Level 4
Level 4

Hello

I was wondering about NAT/ACL placement.

I have an ISR which has NAT/ACL for 4 Network/WAN IP Translation and works fine. But incorporating an FTD for 2 more Networks/WAN IP Translations, does the NAT/ACL still need to be on ISR or can the NAT/ACL be done on FTD?

1 Accepted Solution

Accepted Solutions

TheGoob
Level 4
Level 4

I think I am onto something.

Not sure if right, but..works?

ISR

ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30

ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload

ip route 192.168.1.0 255.255.255.0 192.168.7.2
ip route 192.168.2.0 255.255.255.0 192.168.7.2

ip access-list standard 8
   10 permit 192.168.2.0 0.0.0.255
ip access-list standard 9
   10 permit 192.168.1.0 0.0.0.255

FPR

No NAT rules at all except default 'inside any outside interface'

ACL's are "inside trust outside" and "inside trust inside".

NOW What is weird; Apparently my Nexus inter-vlan routing is not working because... Unless I add ANOTHER ACL allowing vlan 7 [also on nexus with vlan2-3] to FPR from ISR, vlan 7 can not connect. I thought same device, inter-vlan was auto "yes"?

 

View solution in original post

14 Replies 14

TheGoob
Level 4
Level 4

I wonder if this would be accurate. Being that the ISR is the Internet facing Router and the FTD connects to the ISR (ISR 192.168.7.1 FTD 192.168.7.2) would I create a NAT such as this (on ISR);

access-list 1 permit 192.168.7.0 0.0.0.255

ip nat pool WANPOOL 207.108.121.180 297.108.121.181 netmask 255.255.255.0

ip nat inside source list 1 pool WANPOOL

On FTD;

I do not know correct formula here but generally speaking I would NAT “outside” Interface (host ip 207.108.121.180) with “inside” interface (network 192.168.1.0) and same for the other NAT?

 

Would this be correct procedure? 

I wonder if this would be accurate. Being that the ISR is the Internet facing Router and the FTD connects to the ISR (ISR 192.168.7.1 FTD 192.168.7.2) would I create a NAT such as this (on ISR);

access-list 1 permit 192.168.7.0 0.0.0.255

ip nat pool WANPOOL 207.108.121.180 297.108.121.181 netmask 255.255.255.0

ip nat inside source list 1 pool WANPOOL

Yes. This configuration does NAt for the interconnect lan between the ISR and the FTD.

On FTD;

I do not know correct formula here but generally speaking I would NAT “outside” Interface (host ip 207.108.121.180) with “inside” interface (network 192.168.1.0) and same for the other NAT?

Would this be correct procedure? 


On the FTD, you will NAT any "inside" into the "outside" interface, but in your case the outside interface IP is 192.168.7.2.

Regards, LG
*** Please Rate All Helpful Responses ***

Hi there

 

Alright cool I am onto something. On your first email, you mentioned using 192.168.7.2 as outside IP, which I do understand as it is the “outside” but in which configuration (ISR or FTD (I presume)) associates specifically 192.168.1.0 with 207.108.122.180 and 192.168.2.0 with 207.108.121.181. Sort of confusing because the pool on ISR was 2 WAN IPS but still unsure how FTD knows which goes where. Again, I am doing full Network/subnet to specific WAN IP. 

Your second response… How would I not need NAT on both considering there is the SVI link between the 2 on a completely different network, whose purpose is just the link. Barely grasping at straws here reading and trying to figure it out so the 2nd response sort of confuses me. 

liviu.gheorghe
Spotlight
Spotlight

You can leave the traffic that transits the FPR not NAT-ed and do the NAT on the ISR, or you can NAT the traffic on the FPR and not do it on the ISR and also ensure the ISR has a route back to the FPR for the NAT-ed IP's.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob
Level 4
Level 4

I have a couple things going on here I can not explain. First of all, NEXUS w/ 6 vlans, everything LAN/vlan side can see each other. Perfect. But only vlan 4-7 [Nexus to ISR] can access Internet on their correct WAN IP, vlan 2-3 [Nexus to FTD to ISR]  can not even ping past FTD.

I have PBR set up on Nexus directing vlan 2-3 back towards FTD and vlan 4-7 directing towards ISR... With this I assume I need no more default ip route? I ask cause with NO default route, nothing connects to Internet.. When I do A default route, vlan 4-7 connects. So, not sure if with PBR I still need 2 default routes? Anywa, thats only some of the issue. The other is I can not even ping, from the FTD to the ISR. FTD 192.168.7.2 and ISR 192.168.7.1 so I am just confused. I will post 3 running configs.... ISR, FTD and NEXUS... I think really what is focused is why vlan 2-3 can not connect to Internet.. 

 

NEXUS

NEXUS

feature telnet
feature pbr
feature interface-vlan

ip access-list vlan2
  10 permit ip 192.168.1.0/32 any
ip access-list vlan3
  10 permit ip 192.168.2.0/32 any
ip access-list vlan4
  10 permit ip 192.168.3.0/32 any
ip access-list vlan5
  10 permit ip 192.168.4.0/32 any
ip access-list vlan6
  10 permit ip 192.168.6.0/32 any
ip access-list vlan7
  10 permit ip 192.168.5.0/32 any

ip route 0.0.0.0/0 192.168.5.2 [Have to use this or else PBR apparently doesnt work, or the PBR doesnt work so I have to do this]
vlan 1-7

route-map vlan-access-ISR pbr-statistics
route-map vlan-access-ISR permit 10
  match ip address vlan4
  set ip next-hop 192.168.5.2
route-map vlan-access-ISR permit 20
  match ip address vlan5
  set ip next-hop 192.168.5.2
route-map vlan-access-ISR permit 30
  match ip address vlan6
  set ip next-hop 192.168.5.2
route-map vlan-access-ISR permit 40
  match ip address vlan7
  set ip next-hop 192.168.5.2
route-map vlan-access-ftd pbr-statistics
route-map vlan-access-ftd permit 10
  match ip address vlan2
  set ip next-hop 192.168.1.2
route-map vlan-access-ftd permit 20
  match ip address vlan3
  set ip next-hop 192.168.1.2
vrf context management


interface Vlan1
  no shutdown
  ip address 192.168.10.3/24

interface Vlan2
  no shutdown
  ip address 192.168.1.1/24

interface Vlan3
  no shutdown
  ip address 192.168.2.1/24

interface Vlan4
  no shutdown
  ip address 192.168.3.1/24

interface Vlan5
  no shutdown
  ip address 192.168.4.1/24

interface Vlan6
  no shutdown
  ip address 192.168.6.1/24

interface Vlan7
  no shutdown
  ip address 192.168.5.1/24
  ip policy route-map vlan-access-ISR

interface Ethernet1/1
  switchport mode trunk
  switchport trunk native vlan 7
  switchport trunk allowed vlan 4-7

interface Ethernet1/49
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 2-3
ISR

ISR

version 17.9
ip name-server 205.171.3.65 205.171.2.65
ip dhcp excluded-address 192.168.3.0 192.168.3.2
ip dhcp excluded-address 192.168.3.130 192.168.3.255
ip dhcp excluded-address 192.168.4.0 192.168.4.2
ip dhcp excluded-address 192.168.4.129 192.168.4.255
ip dhcp excluded-address 192.168.5.0 192.168.5.2
ip dhcp excluded-address 192.168.5.129 192.168.5.255
ip dhcp excluded-address 192.168.6.0 192.168.6.2
ip dhcp excluded-address 192.168.6.129 192.168.6.255
!
ip dhcp pool 3
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool 4
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool 5
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.1
 dns-server 8.8.8.8
 lease infinite
!
ip dhcp pool 6
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.1
 dns-server 8.8.8.8
 lease infinite
!
vlan 4-8
!
interface GigabitEthernet0/0/0
 description WAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1460
 ip tcp adjust-mss 1412
 negotiation auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
 spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
 description Management
 ip address 192.168.8.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport access vlan 7
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/1
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet0/1/2
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet0/1/3
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/1/4
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/1/5
 switchport access vlan 7
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/6
 switchport access vlan 8
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/7
 switchport trunk native vlan 7
 switchport trunk allowed vlan 4-7
 switchport mode trunk
!
interface Vlan1
 ip address 192.168.10.2 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan4
 ip address 192.168.3.2 255.255.255.0
 ip nat inside
!
interface Vlan5
 ip address 192.168.4.2 255.255.255.0
 ip nat inside
!
interface Vlan6
 ip address 192.168.6.2 255.255.255.0
 ip nat inside
!
interface Vlan7
 description inside
 ip address 192.168.5.2 255.255.255.0
 ip nat inside
!
interface Vlan8
 ip address 192.168.7.1 255.255.255.0
!
interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 ip mtu 1460
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp mtu adaptive
 ppp authentication chap pap callin
 ppp ipcp dns request
 ppp ipcp route default
!
ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat pool WANPOOL 207.108.121.180 207.108.121.181 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 4 pool 179 overload
ip nat inside source list 5 pool 178 overload
ip nat inside source list 6 pool 182 overload
ip nat inside source list 7 pool 177 overload
ip nat inside source list 15 pool WANPOOL
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 192.168.7.2
ip route 192.168.2.0 255.255.255.0 192.168.7.2
!
!
!
ip access-list standard 1
 10 permit 192.168.8.0 0.0.0.255
ip access-list standard 4
 10 permit 192.168.3.0 0.0.0.255
ip access-list standard 5
 10 permit 192.168.4.0 0.0.0.255
ip access-list standard 6
 10 permit 192.168.5.0 0.0.0.255
ip access-list standard 7
 10 permit 192.168.6.0 0.0.0.255
ip access-list standard 15
 10 permit 192.168.7.0 0.0.0.255
dialer-list 1 protocol ip permit

 

FTD

FTD

NGFW Version 7.3.1

!
interface Vlan1
 nameif inside
 security-level 0
 ip address 192.168.95.1 255.255.255.0
!
interface Vlan2
 nameif fbeye
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan3
 nameif fhc
 security-level 0
 ip address 192.168.2.2 255.255.255.0
!
interface Ethernet1/1
 no switchport
 nameif outside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address 192.168.7.2 255.255.255.0
!
interface Ethernet1/2
 switchport
 no security-level
!
interface Ethernet1/3
 switchport
 no security-level
!
interface Ethernet1/4
 switchport
 no security-level
!
interface Ethernet1/5
 switchport
 no security-level
!
interface Ethernet1/6
 switchport
 no security-level
!
interface Ethernet1/7
 switchport
 power inline auto
 no security-level
!
interface Ethernet1/8
 switchport
 switchport trunk allowed vlan 2-3
 switchport trunk native vlan 2
 switchport mode trunk
 power inline auto
 no security-level
!
interface Management1/1
 management-only
 nameif diagnostic
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 no ip address
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
 name-server 208.67.222.222
 name-server 208.67.220.220
 name-server 2620:119:35::35
object network OutsideIPv4Gateway
 host 192.168.7.1
object network OutsideIPv4DefaultRoute
 subnet 0.0.0.0 0.0.0.0
object network fbeye_lan
 subnet 192.168.1.0 255.255.255.0
object network fbeye_wan
 host 207.108.121.180
object network fhc_lan
 subnet 192.168.2.0 255.255.255.0
object network fhc_wan
 host 207.108.121.181
nat (fbeye,outside) source dynamic fbeye_lan fbeye_wan
nat (fhc,outside) source dynamic fhc_lan fhc_wan
!
nat (inside,outside) after-auto source dynamic any-ipv4 interface

route outside 0.0.0.0 0.0.0.0 192.168.7.1 1
dhcpd auto_config outside
!
dhcpd address 192.168.95.5-192.168.95.254 inside
dhcpd enable inside
!
dhcpd address 192.168.1.3-192.168.1.189 fbeye
dhcpd option 3 ip 192.168.1.1 interface fbeye
dhcpd enable fbeye
!
dhcpd address 192.168.2.3-192.168.2.189 fhc
dhcpd option 3 ip 192.168.2.1 interface fhc
dhcpd enable fhc

 

 

TheGoob
Level 4
Level 4

Any assistance would be greatly appreciated.

TheGoob
Level 4
Level 4

Bump

TheGoob
Level 4
Level 4

Hello, so I have seen and read and been advised on various methods to achieve this but I was wanting to go the route where the FPR has the ACL’s for connectivity.

To simply my configuration as a whole, I have 6 usable Static WAN IP’s but am only going to focus on the 2 that pass through the FPR from the ISR1100.

On the ISR, and the only configuration with these 2 WAN Ip’s are;

 

ISR

access-list 1 permit 192.168.7.0 0.0.0.255

   Permission for network on FPR to be allowed.

  Would this ACL On the ISR be for the LINK between ISR and FPR [192.168.7.0] , or the Networks at the end, on the FPR [192.168.1.0 and  192.168.2.0]

ip nat pool WANPOOL 207.108.121.180 207.108.121.181 netmask 255.255.255.0

   The 2 WAN IP’s in a ‘pool’ to use

ip nat inside source list 1 pool WANPOOL

   Assigning the Permit ACL to the WANPOOL w/ source coming from ‘inside’.

 

The only configuration on FPR, at this stage;

FPR

nat inside any outside interface

 

At this stage not really sure how to verify functionality because what is most important, and missing from my scenario, is at what stage, NAT configuration, does the FPR know that at the end of the day, WAN IP 207.108.121.180 is to be NAT’d to 192.168.1.o and WAN IP 207.108.121.181 is to be NAT’d to 192.168.2.0.

So far I am to assume the ISR is sending the WANPOOL to be accessible via 192.168.7.1 (ISR SVI towards FPR) and then on FPR 192.168.7.2 is the GE1/1 ‘outside’ interface. Then the FPR is NAT’ng the ‘outside’ Interface (192.168.7.2) to ‘any inside’ interface. I am just lost as to where the specific LAN Networks come in to play and NAT’d to their WAN IP.

 

Am I reaching too far out there to assume I need 2 more NATS placed ‘below’ that FPR NAT; ‘inside vlan1 outside wanip1’ and ‘inside vlan2 outside wanip2’?

vlan1 - 192.168.1.0 wanip1 - 207.108.121.180

vlan2 - 192.168.2.0 wanip2 - 207.108.121.181

Hello @TheGoob ,

Your FW PFR has no public IP addresses on it, its outside interface has the following IP address

ip address 192.168.7.2 255.255.255.0

  so remove

no nat (fbeye,outside) source dynamic fbeye_lan fbeye_wan
no nat (fhc,outside) source dynamic fhc_lan fhc_wan

and make them like the inside

nat fbeye any outside interface

nat fhc any outside interface

When traffic comes back from the internet how the ISR can know that those two public IP addresses are on the FPR ?

This is why your current setup does not work

Hope to help

Giuseppe

 

TheGoob
Level 4
Level 4

I think I am onto something.

Not sure if right, but..works?

ISR

ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30

ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload

ip route 192.168.1.0 255.255.255.0 192.168.7.2
ip route 192.168.2.0 255.255.255.0 192.168.7.2

ip access-list standard 8
   10 permit 192.168.2.0 0.0.0.255
ip access-list standard 9
   10 permit 192.168.1.0 0.0.0.255

FPR

No NAT rules at all except default 'inside any outside interface'

ACL's are "inside trust outside" and "inside trust inside".

NOW What is weird; Apparently my Nexus inter-vlan routing is not working because... Unless I add ANOTHER ACL allowing vlan 7 [also on nexus with vlan2-3] to FPR from ISR, vlan 7 can not connect. I thought same device, inter-vlan was auto "yes"?

 

Hello @TheGoob ,

yes moving the NAT to the ISR allows you to NAT the two subnets to two different  NAT pools.

For FPR you need to verify what happens because it has also auto NAT rules and you may need to write ACLs to describe allowed traffic.

Are you using FDM GUI to configure the FPR or it is running ASA OS ?

The FPR is in FTD mode with Firepower OS or it is running ASA OS ?

Hope to help

Giuseppe

 

Hello, I am using the FPR1010 which is using FDM [over FTD]?

Yeah, I have the 2 NAT's on the ISR and then the default NAT on the FPR [ nat inside to out]. All seems to work, each LAN Network has it's own correct WAN IP. So that was nice.

All seems to work correctly except what I believe to be the INTER-VLAN Routing is not, on the Nexus. Though 2 IP's are going from ISR to FPR, I have another 4 Static WAN IP's going from ISR to Nexus.

All 6 IP's [WAN to LAN] Networks appear on Nexus, vlan 2-7. What I find strange is, each vlan has an SVI to it, so I was to assume inter-vlan routing but this is not the case. Data from vlan 4-7 appear to need to run through the ISR then FPR to touch the vlan 2-3 back on the Nexus. This seems very odd.. Like I said probably a weird routing protocol I have overlooked.. I do have feature interface-vlan  enabled. AGAIN, in the same vein, I feel it is off/something not right that I DO need an ACL for 1 vlan on Nexus to access another vlan on the Nexus.

Alright, I moved the NAT to the ISR which allows me to create two subnets; 207.108.121.180 to 192.168.1.0 and 207.108.121.181 to 192.168.2.0.

Seems to work as both vlans associated to them get the correct WAN IP when I connect. For any incoming [outside to in] for let’s say email server, would that ACL and NAT TRANSLATION [wan to specific port and specific lan ip] for the Email be done on the ISR or FPR. I ask because you also mentioned FPR also has NAT. 
Correct me if I am wrong;

ISR does the initial NAT because it is INTERNET facing and clearly needs to know what network the WAN IP goes to. I also assume that I need additional NAT entires (on ISR) to port-forward certain Ports from WAN to specific LAN, or would those more port specific NAT entires be on FPR along with the ACL to permit the access.

Currently I have only 1 NAT on FPR, inside any outside interface. I can not fathom why another NAT would be needed because ISR already says what LAN the WAN belongs to. 
I’ve never routed between 2 routers before so the NAT/ACL placement sort of threw my mind into jelly. It’s really bizarre it’s like I lost my foothold by adding a second router. 

TheGoob
Level 4
Level 4

Maybe something on here would reflect why local Nexus inter-vlan is not working?

NOTE; Upon further research it seems possibly that my PBR is affecting/ cancelling the inter-vlan routing. Unfortunately I am not finding a solution. 

Also it seems default next-hop was not an option until 10.2, which is not at all supported for 9K that I have.. So unless there is a workaround to keep the PBR in tact but have the Nexus route "locally [vlan to vlan]" it seems I am royally screwed.

 

 

 

version 9.3(10) Bios:version 07.69
switchname NexusHOM

feature telnet
feature pbr
feature interface-vlan
feature dhcp

ip domain-lookup
ip access-list vlan2ip
  10 permit ip 192.168.1.0 0.0.0.255 any
ip access-list vlan3ip
  10 permit ip 192.168.2.0 0.0.0.255 any
ip access-list vlan4ip
  10 permit ip 192.168.3.0 0.0.0.255 any
ip access-list vlan5ip
  10 permit ip 192.168.4.0 0.0.0.255 any
ip access-list vlan6ip
  10 permit ip 192.168.6.0 0.0.0.255 any
ip access-list vlan7ip
  10 permit ip 192.168.5.0 0.0.0.255 any

vlan 1-7

route-map vlan2map permit 10
  match ip address vlan2ip
  set ip next-hop 192.168.1.2
route-map vlan3map permit 10
  match ip address vlan3ip
  set ip next-hop 192.168.2.2
route-map vlan4map permit 10
  match ip address vlan4ip
  set ip next-hop 10.0.0.1
route-map vlan5map permit 10
  match ip address vlan5ip
  set ip next-hop 10.0.0.1
route-map vlan6map permit 10
  match ip address vlan6ip
  set ip next-hop 10.0.0.1
route-map vlan7map permit 10
  match ip address vlan7ip
  set ip next-hop 10.0.0.1
service dhcp
ip dhcp relay
ipv6 dhcp relay
vrf context management


interface Vlan1
  no shutdown
  ip address 192.168.10.3/24

interface Vlan2
  no shutdown
  ip address 192.168.1.1/24
  ip policy route-map vlan2map
  ip dhcp relay address 192.168.1.2

interface Vlan3
  no shutdown
  ip address 192.168.2.1/24
  ip policy route-map vlan3map
  ip dhcp relay address 192.168.2.2

interface Vlan4
  no shutdown
  ip address 192.168.3.1/24
  ip policy route-map vlan4map
  ip dhcp relay address 10.0.0.1

interface Vlan5
  no shutdown
  ip address 192.168.4.1/24
  ip policy route-map vlan5map
  ip dhcp relay address 10.0.0.1

interface Vlan6
  no shutdown
  ip address 192.168.6.1/24
  ip policy route-map vlan6map
  ip dhcp relay address 10.0.0.1

interface Vlan7
  no shutdown
  ip address 192.168.5.1/24
  ip policy route-map vlan7map
  ip dhcp relay address 10.0.0.1

interface Ethernet 1/1 - 1/94 are assigned their vlan

interface Ethernet1/95
  description Link_to_ISR
  no switchport
  ip address 10.0.0.2/24
  no shutdown

interface Ethernet1/96
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 2-3

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card