topic Re: Inter-VLAN Routing configuration in Firepower in Network Security

Inter-VLAN Routing configuration in Firepower

SaintEvn — Tue, 22 Dec 2020 11:40:38 GMT

I would like to configure inter-vlan routing in firepower(FMC) using VLAN sub interface.

I've created sub interfaces with separate VLAN ID on physical interface. And I've configure trunking port at the access switch side with appropriate gateway.

But the inter-vlan is still not working .

What do I need to do in Firepower (FMC) in order to work inter-vlan routing?

Thank you so much all!

Re: Inter-VLAN Routing configuration in Firepower

balaji.bandi — Tue, 22 Dec 2020 11:48:48 GMT

FTD is a more of zone-based firewall, and same-security-traffic required to achieve intra and inter interface communication. ACP rule is required to make this work

Re: Inter-VLAN Routing configuration in Firepower

SaintEvn — Tue, 22 Dec 2020 15:45:57 GMT

Hi,

I've also try with allow any Access Control Policy but the inter-vlan is still not working .

It was like I miss "ip routing" on core layer switch.

I have 3 vlans (vlan 10, 11,12) and only vlan 10 is pintable form access switch.

I also make sure " no ip routing" on access switch .But the inter-vlan on firepower still cannot work yet.

Do I need to miss out something in firepower ??

Re: Inter-VLAN Routing configuration in Firepower

balaji.bandi — Tue, 22 Dec 2020 15:55:46 GMT

Can you post the switch config to look, how you configured.

is the VLAN Layer3 on Switch or FTD ? or both the places ?

Re: Inter-VLAN Routing configuration in Firepower

Rob Ingram — Tue, 22 Dec 2020 16:45:54 GMT

@SaintEvn

Do you have NAT exemption rules setup, without them traffic could unintentially be natted.

If you ping the vlan10 ip address of the FTD from the access switch you would only expect to get a response from vlan10, you cannot be connected to one FTD interface (FTD vlan10) and ping through the FTD to the FTD's far interface (FTD vlan11), this would be denied - by design. You would need to ping through the FTD to a device connected to vlan11 (pc, printer etc). Obviously your ACP rules need to permit this.

Run packet-tracer from the CLI and provide the output for review.

Provide a screenshot of your ACP for this traffic.

Provide the output of "show nat detail"

Re: Inter-VLAN Routing configuration in Firepower

SaintEvn — Tue, 22 Dec 2020 16:51:46 GMT

I've demonstrated a lab for my issue. Please help to review my configuration.

All the Layer3 VLANs are on firepower and switch as L2 only access switch.

Thank you so much

Re: Inter-VLAN Routing configuration in Firepower

Rob Ingram — Tue, 22 Dec 2020 17:01:37 GMT

@SaintEvn

You don't have any interfaces configured in vlan11 or vlan12 on the switch, so I can only assume you are pinging vlan11 and vlan12 interfaces on the FTD from the switch itself which would be from vlan 10. Which as explained above will not work by design.

You need to connect some devices to the switch in vlan11 and vlan12 with a default gateway of the FTD and then ping "through" the FTD not "to" the FTD.

Re: Inter-VLAN Routing configuration in Firepower

SaintEvn — Tue, 22 Dec 2020 17:17:49 GMT

Thank you for your suggestion but according to my understanding , I already have trunk port configured between switch and firepower. And I also configured allow any policy .So, it should be able to ping form vlan 10 to other vlan interfaces on FTD. That is what I usually configure in other firewalls and ASA.

But now, It is more like when we missed "ip routing" command on L3 switch.

Re: Inter-VLAN Routing configuration in Firepower

Rob Ingram — Tue, 22 Dec 2020 17:22:46 GMT

No that's incorrect. The FTD only responds to ICMP traffic sent to the interface that traffic comes in on (vlan10); you cannot send ICMP traffic through an interface to a far interface (vlan11 or vlan12), the same applied to ASA aswell. I stated test communication by pinging "through" the firewall not "to".

Re: Inter-VLAN Routing configuration in Firepower

SaintEvn — Tue, 22 Dec 2020 17:46:32 GMT

I've assigned access port for VLAN 10, 11 and 12 .
Then I tried to ping from VLAN 10 client to VLAN 11 Client etc.
But still the same. Inter-vlan routing is not working.

Re: Inter-VLAN Routing configuration in Firepower

Rob Ingram — Tue, 22 Dec 2020 18:10:04 GMT

So you've connect a client device to each vlan 10, 11 and 12 with the default gateway for the client devices as the local FTD vlan interface?

Can each client device ping their own local vlan interface IP address (default gateway)?

Do you have nat configured? If yes, you might need a nat exemption rule.

Run packet-tracer from the CLI of the FTD and provide the output for review.

Re: Inter-VLAN Routing configuration in Firepower

SaintEvn — Tue, 22 Dec 2020 20:05:12 GMT

Hi,

Yes, each client device can ping their own default gateway. And there is no NAT on firepower.

I have captured some packet
- each VLAN client to each respective gateway and
-VLAN10 Client to other VLAN Client

I'm capturing from my lab so the capture files may be somehow difficult to view.
Very sorry for that and thank you so much for helping me

Re: Inter-VLAN Routing configuration in Firepower

Rob Ingram — Tue, 22 Dec 2020 20:28:44 GMT

Are you logging traffic in ACP rules? if so check the logs.

You can also run "system support firewall-engine-debug" command and filter on the source IP address of the computer you are running a ping from. Then run a ping, provide the output from that command.

Do the client devices you are running a ping to/from have a local firewall turned on that could block the ping response?

What was the output of packet-tracer?

Re: Inter-VLAN Routing configuration in Firepower

SaintEvn — Wed, 23 Dec 2020 14:22:20 GMT

Thank you all for helping me to solve this issue . I reconfigure all sub-interface in firepower , create ACP Policy and try to ping from one vlan client to another vlan client and it's working !

Re: Inter-VLAN Routing configuration in Firepower

shotalezhava — Fri, 26 Mar 2021 09:06:09 GMT

hello i have same problem ACP is correct i allow everything but host can not ping. all network can connect to FMC, and ping default gateway. What was the problem?

Re: Inter-VLAN Routing configuration in Firepower

rgrashorn — Wed, 07 Apr 2021 01:29:07 GMT

I am configuring on FMC 6.7 to FDM 1120 in routed mode with 4 inside interfaces and a single outside interface--have the same problem. I allow inside to inside traffic but cannot pass traffic between inside interfaces.

Re: Inter-VLAN Routing configuration in Firepower

shotalezhava — Wed, 07 Apr 2021 07:40:56 GMT

If pc can ping default gateway turn off windows firewall and allow ping on windowa

Re: Inter-VLAN Routing configuration in Firepower

bonojeta — Thu, 21 Sep 2023 02:37:49 GMT

Can you post, I want to run the same thing for my home network to reduce the equipment I need to get to my server.