By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post
/Cisco FTDv Firewall Initial Configuration issue with connectivity to AWS VPC/

Cisco FTDv Firewall Initial Configuration issue with connectivity to AWS VPC

0

Hello AWS Community

I have an issue with the initial configuration on a Cisco FTDv Firewall FDM, pretty much the issue is that I cannot seem to receive the traffic on the FTDv when I try to reach any Public addresses , a little bit about the setup

4 Interfaces (Inside, Outside, MGMT and Diagnostic)

From the FTDv directly I can ping google(8.8.8.8) without issues

From the subnets on AWS I can ping all interfaces of the FTDv, but not to google or any public subnet.

I did a packet tracer test on the FIrewall simulating any of the servers I have on AWS and traffic is allowed correctly.

However I never see the attempts reaching the FTD when I ping google or any public IP if I do it from the servers on the AWS VPC.

In the VPC my next hop for 0.0.0.0/0 is the Inside Interface NIC of the FTDv

PD: I do see the traffic of the servers in the Inside interface when I ping the interfaces of the FTDv since those are working fine. but not when I ping anything Public.

I also setup a capture on the FTDv and I never see attempts of the internal servers only when try to reach anything Public.

Seems like an issue between the FTDv and AWS Vpc

Hoping somebody has some insight on it

Thanks in Advance

Topics
Networking & Content DeliverySecurity Identity & Compliance
Tags
Amazon VPCAWS Network FirewallAWS MarketplaceNetwork Security
fersherls
asked 5 months ago11 views
1 Answers
1
Accepted Answer

Hi, Thank you for reaching out.

If done already, could you try to disable source/destination checks on the FTDv instance and see if that helps.

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.

You can disable the SrcDestCheck attribute for a NAT instance that's either running or stopped using the console or the command line.

See below to get more details on the feature and how-to:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/

HTH

AdeshG
answered 5 months ago
  • fersherls 5 months ago

    Excellent this was the issue thank you so much

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant questions