topic Cisco FTD 1140 FDM in Network Security

Cisco FTD 1140 FDM

jpdeboer1 — Mon, 17 Aug 2020 20:18:24 GMT

Hello,

I am running a cisco FTD 1140 with system software version 6.4.0-102 using FDM to configure the device. Now i have an issue with subinterfaces, i have a Cisco 9500 connecting to the Cisco 1140 FTD with a trunk interface. On the switch i created a vlan inteface with an IP and on the FTD i created a subinterface with the same vlan number. Created a security zone on the FTD and allowed everything on the ACL as a test. But i am not able to ping the subinterface, this is a simple setup to just test the subinterface on the FTD, but for some reason isnt working. Did someone else encounter this issue?

Thanks in advance!

Re: Cisco FTD 1140 FDM

Rob Ingram — Mon, 17 Aug 2020 20:26:58 GMT

Hi,
Where are you connected to when you ping this new interface?
As with the ASA, you cannot be connected to one interface and send ICMP traffic through an interface to a far interface, the firewall only responds to ICMP traffic sent to the interface that traffic comes in on.

HTH

Re: Cisco FTD 1140 FDM

jpdeboer1 — Mon, 17 Aug 2020 20:46:40 GMT

Hi,

The cisco 9500 switch is connected as a trunk using port Twe1/0/3 to the cisco FTD 1140 port Eth1/3. Eth1/3 is the parrent interface for the subinterface. Subinterface has vlan 111 configured with ip 10.11.11.1/24 and the Cisco 9500 switch has a VLAN interface 111 with ip 10.11.11.241/24. Vlan 111 is also configured on the switch. But i cant ping between them.

Re: Cisco FTD 1140 FDM

Marvin Rhoads — Tue, 18 Aug 2020 05:02:28 GMT

Did you confirm the trucking status on the switch and the spanning-tree forwarding for the VLANs of interest? Are you getting arp table entries on both devices for the other addresses in the subnet?

Re: Cisco FTD 1140 FDM

jpdeboer1 — Tue, 18 Aug 2020 07:42:10 GMT

Hi Marvin,

i dont get a mac address when i check arp table:

Internet 10.11.11.1 0 Incomplete ARPA

See below config

FIREWALL
interface Ethernet1/3.111
vlan 111
nameif vmware-management
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.11.1 255.255.255.0

SWITCH
interface TwentyFiveGigE1/0/3
description Connects AMS-FW1 Eth1/3 SERVERS
switchport trunk allowed vlan 111,300,310,320
switchport mode trunk
load-interval 30

interface Vlan111
ip address 10.11.11.241 255.255.255.0
end

VLAN0111
Spanning tree enabled protocol rstp
Root ID Priority 32879
Address 5ca6.2dc2.e720
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32879 (priority 32768 sys-id-ext 111)
Address 5ca6.2dc2.e720
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Twe1/0/3 Desg FWD 20000 128.3 P2p

Re: Cisco FTD 1140 FDM

jpdeboer1 — Tue, 18 Aug 2020 12:15:12 GMT

Something strange happened, i made a config change in FDM and deployed it to the device. Deployment got stuck so i rebooted both firewall devices and after that the sub interfaces were working.