https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318171#M1064520 <P>I have a rule&nbsp;to permit any any&nbsp;</P> Thu, 25 Jan 2018 02:53:01 GMT Dia 2018-01-25T02:53:01Z https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318117#M1064516 <P>Hi All,</P> <P>&nbsp;</P> <P>I am doing a new deployment of Virtual Firepower Thread Defense (FTDv) using ESXI and using ACI as bridge domain for my infrastructure.</P> <P>&nbsp;</P> <P>My problem is the FTDv is running in Transparent mode between 2 routers and these routers will be running IBGP over different links one of them having the FTDv inline, BGP is not forming over this link so any Idea what could be the reason?</P> <P>&nbsp;</P> <P>Regards</P> Fri, 21 Feb 2020 15:12:27 GMT https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318117#M1064516 Dia 2020-02-21T15:12:27Z https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318160#M1064518 <P>BGP requires TCP port 179 to be open between peers. check on your FW to see if this is allowed</P> Thu, 25 Jan 2018 02:18:40 GMT https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318160#M1064518 Dennis Mink 2018-01-25T02:18:40Z https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318171#M1064520 <P>I have a rule&nbsp;to permit any any&nbsp;</P> Thu, 25 Jan 2018 02:53:01 GMT https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318171#M1064520 Dia 2018-01-25T02:53:01Z https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318277#M1064522 <P>Are you using BGP-authentication? Then you need a workaround:</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy10017" target="_self">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy10017</A></P> Thu, 25 Jan 2018 07:25:44 GMT https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3318277#M1064522 Karsten Iwen 2018-01-25T07:25:44Z https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3320578#M1064524 <P>Hi Karsten,</P> <P>&nbsp;</P> <P>Thanks for your feedback that would help in later stage bu actually i am in the stage to establish the BGP without authentication&nbsp;<SPAN>between two BGP speaking routers peering with each other and no BGP running on FTD as it is Transparent.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> Sun, 28 Jan 2018 22:10:54 GMT https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3320578#M1064524 Dia 2018-01-28T22:10:54Z https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3347092#M1064525 <P>In transparent mode of Firewall, you needs to create bridge groups to the vlans at both (in/out) side of firewall.<BR /> <BR /> Example: Configuration on Inside/outside interfaces:<BR /> <BR /> interface TenGigabitEthernet0/6<BR /> <BR /> &nbsp;&nbsp;&nbsp; vlan 20<BR /> &nbsp;&nbsp;&nbsp; nameif inside<BR /> &nbsp;&nbsp;&nbsp; bridge-group 1<BR /> &nbsp;&nbsp;&nbsp; security-level 100<BR /> <BR /> interface TenGigabitEthernet0/7<BR /> <BR /> &nbsp;&nbsp;&nbsp; vlan 30<BR /> &nbsp;&nbsp;&nbsp; nameif outside<BR /> &nbsp;&nbsp;&nbsp; bridge-group 1<BR /> &nbsp;&nbsp;&nbsp; security-level 0<BR /> <BR /> Now please configure "BVI" interface with one IP from the same IP Subnet for which you want to pass traffic through firewall:<BR /> <BR /> <BR /> interface BVI1<BR /> <BR /> ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10&nbsp; (any free IP can be assigned from subnet)<BR /> <BR /> Now, please allow interested traffic on ouside Interface via access-list. This will redirect traffic through transparent firewall.</P> Mon, 12 Mar 2018 20:28:22 GMT https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3347092#M1064525 sbhadrav@cisco.com 2018-03-12T20:28:22Z https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3347349#M1064526 <P>Hi Dia,</P> <P>&nbsp;</P> <P>I would suggest you change the firewal mode to routed from transparent.</P> <P>Transparent is more of a headache. You can have the same inline processing of traffic using routed mode with inline pairs, without any need for a BVI interface with IP and so on.</P> <P>&nbsp;</P> <P>Afterwards, you can create your own rules to permit TCP 179 between peers plus TCP option 19 for BGP authentication.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Octavian</P> Tue, 13 Mar 2018 08:17:21 GMT https://community.cisco.com/t5/network-security/passing-layer-3-traffic-through-transparent-mode-ftdv/m-p/3347349#M1064526 Octavian Szolga 2018-03-13T08:17:21Z