Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
4
Replies

Migrating ASA5510 to FRP1010e issue

dimitrovv9898
Level 1
Level 1

‎03-29-2024 06:55 AM

Hi colleagues,

I have the following issue, I'm migrating from cisco ASA5510 to FRP1010e managed via FDM. The configuration is simple and I moved it to the new device(FRP1010e). I have configured one interface for OUTSIDE with public address and VLAN interface with assigned ipv4 inside address, on which I assigned other ports for internal communication, which ports are on "switched port" mode. When I switch the traffic from old ASA to the new FRP1010e, everything looks fine, the PC's in internal network have access to the Internet (outside) on determined ports. I have defined NAT and ACL rules but I cannot access them from outside. Interesting is that one of this services is accessible and works fine, all other services are configured exactly like the working one. I tried many scenarios but without success. Any ideas?

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-29-2024 07:29 AM

May be you need to post the config or do the troubleshoot.

outside to inside - what kind of NAT , Static NAT  ?

all other services are configured exactly like the working one

Provide some example working and not working.

Look some example guide :

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-nat.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dimitrovv9898
Level 1
Level 1
In response to balaji.bandi

‎04-01-2024 11:46 PM

Hi,

I'm using static NAT. I'm attaching print screen of my NAT configurations.

This is the NAT of working service, where local.Demo4 is object with internal ipv4 address and ext_Demo4 is object with external ipv4 address.

dimitrovv9898_0-1712039813985.png

This is the access list for working service

dimitrovv9898_1-1712039979130.png

And these are identical NAT and ACL rules for other services which do not work.

dimitrovv9898_2-1712040303673.png

 

dimitrovv9898_3-1712040352304.png

 

0 Helpful

AHack210
Cisco Employee
Cisco Employee

‎03-29-2024 08:24 AM

Hi, IIRC, if you used the default NAT policy that FDM creates during bootstrapping, the rule uses (inside,any) and this rule maybe overriding your static NAT policies that you are configuring after the fact. Personally, I delete the (inside,any) rule and build more specific policies like (inside,outside). 

Can you post a packet-tracer of the failing traffic? I usually run this from the LINA CLI

> system support diagnostic-cli
FPR1150> en
Password: (no password, just press enter)
FPR1150# packet-tracer input outside tcp 208.13.96.5 1099 191.2.2.2 443 detailed

Where 199.2.2.2 is your outside interface IP and 443 is the port you are forwarding or allowing. 

Also, as I am sure you know, your ACL should allow the "real ip" (RFC-1918 internal IP) of the host your are natting to. 

0 Helpful

dimitrovv9898
Level 1
Level 1
In response to AHack210

‎04-01-2024 11:55 PM

Hi, 

I don't use default NAT policy and I cannot post packer-tracer of the failing traffic because the ports are in down state and the traffic is passing via ASA now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card