Cisco FTDv Firewall Initial Configuration issue with connectivity to AWS VPC
Hello AWS Community
I have an issue with the initial configuration on a Cisco FTDv Firewall FDM, pretty much the issue is that I cannot seem to receive the traffic on the FTDv when I try to reach any Public addresses , a little bit about the setup
4 Interfaces (Inside, Outside, MGMT and Diagnostic)
From the FTDv directly I can ping google(184.108.40.206) without issues
From the subnets on AWS I can ping all interfaces of the FTDv, but not to google or any public subnet.
I did a packet tracer test on the FIrewall simulating any of the servers I have on AWS and traffic is allowed correctly.
However I never see the attempts reaching the FTD when I ping google or any public IP if I do it from the servers on the AWS VPC.
In the VPC my next hop for 0.0.0.0/0 is the Inside Interface NIC of the FTDv
PD: I do see the traffic of the servers in the Inside interface when I ping the interfaces of the FTDv since those are working fine. but not when I ping anything Public.
I also setup a capture on the FTDv and I never see attempts of the internal servers only when try to reach anything Public.
Seems like an issue between the FTDv and AWS Vpc
Hoping somebody has some insight on it
Thanks in Advance
Hi, Thank you for reaching out.
If done already, could you try to disable source/destination checks on the FTDv instance and see if that helps.
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance. You can disable the SrcDestCheck attribute for a NAT instance that's either running or stopped using the console or the command line.
See below to get more details on the feature and how-to:
Excellent this was the issue thank you so much
Cisco FTDv Firewall Initial Configuration issue with connectivity to AWS VPCAccepted Answer
Upgrading my Cisco Firewallasked 19 hours ago
Route 53 DNS Firewall - Wildcard / CNAME issueasked 6 months ago
Inbound NATs on FTDv Cisco Firewall (Pool of EIP) for Inbound Traffic
Transit Gateway and AWS Network FirewallAccepted Answerasked a year ago
Network Firewallasked 21 days ago
Can't Get Inter-Subnet Routing Working with DMVPN Using Cisco Routerasked 7 months ago
Routing VPC to VPC traffic through an on-prem firewall via Transit GatewayAccepted Answerasked a year ago
AWS Transit Gateway with Cisco ASA Routing Issuesasked a year ago
AWS Backup for AWS Organizations IAM Configuration IssueAccepted Answerasked 3 months ago