topic Re: FTD 1010 cant ping between ports in Network Security

FTD 1010 cant ping between ports

S3C — Tue, 22 Sep 2020 07:26:19 GMT

So this is a LAN setup & using GUI but can also use cli if needed.

Ive been troubleshooting this for a few days and I think FTD is blocking the access between the port 3 and port 1.

Here´s the setup:

Host - 192.168.3.5/24

FTD Port 3 - routed status - 192.168.3.1/24

FTD Port 1 - sub-int1.10, vlan10 - 192.168.10.1/24

SW Port 10 - sub-int1.10, vlan10 - 192.168.10.10/24 (trunk)

Host -> Port 3 (FTD) -> Port 1 (FTD) -> Port 10 (SW)

Host CANT ping port 1

But....

FTD can ping Host

Host can ping FTD

FTD can ping SW

I have setuped ACL rule to allow any any any any, also a static route for traffic through sub-int1.10 & port 3 but still doesnt work.

Can anyone help me in what I have done wrong or missed? Also, let me know if need to add more info

Thanks a lot, much appreciated.

Re: FTD 1010 cant ping between ports

Rob Ingram — Tue, 22 Sep 2020 07:24:20 GMT

Hi @S3C

You can only ping an FTD's interface that traffic comes in on (Port 3), you cannot send ICMP traffic through an interface to a far interface, this is denied by design and you cannot change it.

Your ACL you've setup applies to traffic "through" the FTD, not "to" the FTD - it would not work.

HTH

Re: FTD 1010 cant ping between ports

S3C — Tue, 22 Sep 2020 07:52:19 GMT

Hi Rob!

Thanks for answering.

I wrote wrong above but updated now.

Let me show you the end goal here as to why Im asking how to do this.

Host -> Port 3 (FTD) -> Port 1 (FTD, with sub-ints) -> Port 10 (SW, with VLANs) -> Port 1 (SW, with VLANs) -> Port 1 (SRV, with VMs)

Host - 192.168.3.5/24

FTD Port 3 - routed status - 192.168.3.1/24

FTD Port 1 - sub-int1.10, vlan10 - 192.168.10.1/24

SW Port 10 - sub-int1.10, vlan10 - 192.168.10.10/24 (trunk)

SW Port 1 - sub-int1.10, vlan10 (trunk)

SRV Port 1 - 7 VMs where 1 is tagged vlan10 and is a ADDC.

Bear in mind the VSRV has 7 machines which each one got their own vlan on SW & Sub-int on FTD.

Ping from FTD to VSRV & vice versa is OK, all is working as planned.

As my end goal here, is that the host would be able to join the domain & then at END in a few months be able to RDP to all other VMs (though at this time I just want to get it to be joined to the domain).

But I CANT ping port 1 vlan10 where ADDC is.

Attached a diagram too.

thanks!

Re: FTD 1010 cant ping between ports

Rob Ingram — Tue, 22 Sep 2020 07:53:43 GMT

Ok, so you aren't ping the FTD's far interfaces, rather you are pinging through the FTD to the switches SVI and not receiving a response?

You already have a permit ip any any rule, please provide a screenshot, just for confirmation.

Check you aren't unintentially natting on the FTD, provide the output of "show nat detail" for review if you wish.

Can the FTD ping the VSRV ip addresses?

Check routing on the switch and FTD, provide the routing table from both if you wish confirmation.

Re: FTD 1010 cant ping between ports

S3C — Tue, 22 Sep 2020 08:54:30 GMT

Nope, correct. Just trying to ping the Sub-ints/SVI from host. As ping to SVIs from FTD is OK.

Host trying to ping sub-ints IP which is 192.168.10.1, but getting timeout.

PS of ACL is attached.

No NAT rule as nothing will have internet access nor access website. everything will be LAN.

Correct, FTD can ping everything. Host is the only one who cant ping Sub-ints/SVI but it can ping FTD.

Routing on FTD attached (GW is host network) + no routing on SW as the 2 ints used are Trunk and apart of same VLANs.

How should the routing be? (not used to this new GUI routing setup)

Interface: (sub-int or host)?

Networks: (hosts or the sub-ints)?

GW: host, ftd or sub-ints)?

Thanks Rob!

Re: FTD 1010 cant ping between ports

Rob Ingram — Tue, 22 Sep 2020 09:16:15 GMT

Still un-clear, just provide "show run" from both the FTD and switch it will make things easier.

Is you intention to route all inter-vlan traffic through the FTD? If so the switch does not need IP addresses per VLAN, only 1 for management. The virtual servers would use the FTD as the default gateway.

What is the IP address of the Virtual Server (ADDC) and can it ping the switch?

What is the default gateway of the ADDC, 192.168.10.10 (switch) or 192.168.10.1 (FTD)? Regardless if it's in the same VLAN it should be able to ping 192.168.10.1

Re: FTD 1010 cant ping between ports

S3C — Tue, 22 Sep 2020 09:42:41 GMT

Correct, all access, traffic routes, denies from users, hosts etc is going through FTD.

Logical plan is that ALL traffic is going to go through FTD, both ways through 1 interface.

So if a VSRV VM wants to talk to another VSRV then it has to go through the FTD first.

So I then dont need trunk ports with the different vlans?

Virtual Server (ADDC) is only tagged with VLAN10, no IP. Yep and it can also ping the FW (vice versa)

Default GW of ADDC havent set as only tagged it with VLAN10.

This is totally fine, FTD to VSRV (ADDC) is OK (pingable).

The issue is at FTD. Host cant ping the VLAN10 (ADDC) (192.168.10.1).

Host port 3

Vlan10 port 1

Host GW: 192.168.3.1 (set on port 3 on FTD)

Host IP: 192.168.3.5 (set on host machine)

Vlan10: 192.168.10.1 (set on sub-int)

As if FTD is blocking traffic from port 3 to port 1 even though rules are set for allow.

Less un-clear now? 🙂

Ill update with config from both SW & FTD if still needed in about 1h.

Thanks Rob,

Re: FTD 1010 cant ping between ports

Rob Ingram — Tue, 22 Sep 2020 09:51:20 GMT

"The issue is at FTD. Host cant ping the VLAN10 (ADDC) (192.168.10.1)." <<< is this IP address a typo? 192.168.10.1 is the FTD's interface IP address, which as explained in the first respond will never respond to a ping from "Host".

If it is a typo and you are indeed pinging through the FTD to the ADDC on whatever IP address is configured can you run packet-tracer from the CLI and provide the full output.

Re: FTD 1010 cant ping between ports

S3C — Tue, 22 Sep 2020 11:07:28 GMT

Ah yes. its a typo. Meant to be 192.168.10.10.

ADDC/SRV can ping 192.168.10.1 & 10.

To be more clear:

192.168.10.10 = VLAN10 on SW

192.168.10.1 = sub-int on FTD with tag vlan10

Correct, I want to ping through the FTD to ADDC but it stops at the FTD as cant ping 192.168.10.10. (been trying with .1 as well just because its a sub-int and thought it would respons to ping as when pinging from SW it responds.

Will provide the full output in a sec.

Re: FTD 1010 cant ping between ports

Rob Ingram — Tue, 22 Sep 2020 11:24:26 GMT

Ok, so does the switch have a default route/gateway?

Re: FTD 1010 cant ping between ports

S3C — Tue, 22 Sep 2020 12:11:46 GMT

Nope, set default gw on the VLANs towards the sub-ints on the FTD?

No router in network and 7 sub-ints going through the trunk to FTD, so I cant set 1 of them as a default GW as all 7 will be used. Also all traffic is tagged except the host.

Working on the output & conf btw, havent forgot.

Tracert times out on the first jump which I think that FTD is blocking as it would otherwise show 192.168.10.1 as next hop if it would the host through right?

Re: FTD 1010 cant ping between ports

Rob Ingram — Tue, 22 Sep 2020 12:35:17 GMT

Actually the default gateway would only be required if you wanted to communicate with the switch.

Is the default gateway of the ADDC server the FTD (192.168.10.1)?

I was referring to packet-tracer not tracert, provide that and the configs and we should have a clearer picture.

Re: FTD 1010 cant ping between ports

S3C — Tue, 22 Sep 2020 13:27:02 GMT

Hi Rob!

Setting default GW on the VLAN solved the problem. I can now ping ADDC from host & domain join.

Thanks a lot for the support.

Much appreciated

Re: FTD 1010 cant ping between ports

Rob Ingram — Tue, 22 Sep 2020 13:36:26 GMT

@S3C Glad to hear it is working.

However that sounds like the ADDC server is using the switch as it's default gateway, correct? If so that's less than ideal, as you have 2 gateways on the same network (192.168.10.1 and 192.168.10.10), you should set the default gateway of all host servers to be the FTD, in the correct VLAN.

An IP address and gateway on the switch would only be used for management.