topic Re: Cannot access FTD management Interface in Network Security

Cannot access FTD management Interface

Chess Norris — Sat, 03 Oct 2020 19:58:16 GMT

In my lab, I previously had my FTD management interface on the same subnet as my inside network. The inside network is using the FTD Inside interface as gateway and everything was working without any issues.

I recently created a separate management network and configured a VLAN interface (SVI)on my 3560 switch and reconfigured the FTD management interface with an IP address on this network and using the management SVI as gateway.

However I now have have an issue reaching the management interface on the FTD from the Inside network.

If I create an additional sub interface on the FTD on the same management network I can reach the FTD, but is this really necessary?

Would appreciate some guidelines on how to configure the FTD, so that I can access the management from my inside network.

Inside network is 10.46.1.0/24 and management network is 172.16.1.0/24.

Thanks

/Chess

Re: Cannot access FTD management Interface

Rob Ingram — Sat, 03 Oct 2020 18:49:56 GMT

Hi @Chess Norris

What is the default gateway of devices connected to the inside network, the FTD or the switch itself? If it's the FTD, that would need a route to the management network to route the traffic back to the switch.

HTH

Re: Cannot access FTD management Interface

Chess Norris — Sat, 03 Oct 2020 19:12:55 GMT

Hello @Rob Ingram

Yes the FTD is default gateway for the Inside network.

So I would need a static route on the FTD pointing to the switch?

It looks like I cannot add a route using the management interface on the FTD or do you mean I should add a route using the FTD Inside interface pointing to the switch?

Thanks

/Chess

Re: Cannot access FTD management Interface

Rob Ingram — Sat, 03 Oct 2020 19:17:55 GMT

Traffic is sourced from the inside network would be routed to the FTD's inside interface and would need to be routed back via the FTD's inside interface to the SVI, which (if ip routing is enabled) would route the traffic to the management interface. That's not great from a routing point of view, but it will work.

HTH

Re: Cannot access FTD management Interface

Chess Norris — Sat, 03 Oct 2020 20:15:51 GMT

Really appreciate the help, but something still isn't working.

Here's the configuration so far:
Inside network: 10.46.0.0/24
Management Network: 172.16.1.0/24

Switch configuration:
!
ip routing
!
interface Vlan2
description ***INSIDE***
ip address 10.46.0.16 255.255.255.0
no ip mroute-cache
!
interface Vlan13
description ***MGMT***
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface GigabitEthernet0/1
description ***FTD-01 (MGMT)***
switchport access vlan 13
switchport mode access
spanning-tree portfast edge
!
ip route 0.0.0.0 0.0.0.0 10.46.0.1

FTD config

==================[ management0 ]===================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 5C:5A:C7:CF:66:80
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 172.16.1.10
Netmask : 255.255.255.0
Gateway : 172.16.1.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
!
interface Vlan2
nameif INSIDE
security-level 0
ip address 10.46.0.1 255.255.255.0
!
route INSIDE 172.16.1.0 255.255.255.0 10.46.0.16 1

Thanks
/Chess

Re: Cannot access FTD management Interface

Rob Ingram — Sat, 03 Oct 2020 20:29:58 GMT

As the traffic is being routed to the firewall you will need to ensure you are permitting the traffic, have you permitted traffic from 10.46.0.0 to 172.16.1.0? Troubleshoot using "system firewall-engine-debug"

Re: Cannot access FTD management Interface

Chess Norris — Sat, 03 Oct 2020 21:21:30 GMT

Thanks, It was the zones in the ACP that was wrong. Since the traffic both enter and exit the inside, I needed to use the inside zone as both source and destination.

/Chess