topic Re: Inter-VLAN Routing configuration in Firepower 1010 in Network Security

Inter-VLAN Routing configuration in Firepower 1010

shotalezhava — Fri, 26 Mar 2021 20:57:47 GMT

hello i have 3 V LAN, hosts can ping their default gateway can connect to FM C but can not ping each other, on A C P i Allow everything, ft d can ping all hosts. what can be a problem?

Re: Inter-VLAN Routing configuration in Firepower 1010

Rob Ingram — Fri, 26 Mar 2021 21:38:30 GMT

Hi @shotalezhava

Do you have sub-interfaces on the FTD?

Is the FTD the default gateway for each VLAN?

Do you have NAT exemption rules in place to ensure the inter-vlan traffic is not unintentially natted?

Please can you run packet-tracer from the CLI and provide the output for review. Example: packet-tracer input <interface> <protocol> <src ip> <src port> <dst ip> <dst port>

Provide some output of your FTD and switch configuration.

Re: Inter-VLAN Routing configuration in Firepower 1010

shotalezhava — Sat, 27 Mar 2021 16:58:33 GMT

sorry i do not know how to run paket-tracer from CLI, i have sub-interface, host can ping ftd and all vlan can connect to fmc. default gateway is correct on host it is ftd sub-interface ip.

Re: Inter-VLAN Routing configuration in Firepower 1010

Rob Ingram — Sat, 27 Mar 2021 17:11:38 GMT

@shotalezhava Run the following from the CLI of the FTD and provide the output:-

packet-tracer input managment icmp 192.168.77.11 8 0 192.168.10.10

Can the FTD ping a host in each of the vlans?

Does the host you are trying to ping (192.168.10.10) have a local firewall turned on that could be preventing a ping response?

Re: Inter-VLAN Routing configuration in Firepower 1010

shotalezhava — Sat, 27 Mar 2021 17:13:23 GMT

local firewall allow icmp Ipv4

Re: Inter-VLAN Routing configuration in Firepower 1010

shotalezhava — Sat, 27 Mar 2021 17:17:46 GMT

packet-tracer input managment icmp 192.168.77.11 8 0 192.168.10.10

Re: Inter-VLAN Routing configuration in Firepower 1010

Rob Ingram — Sat, 27 Mar 2021 17:25:31 GMT

The result of that packet-tracer output was an "allow", which means the traffic should be permitted by the FTD.

I suggest you disable the local firewall on the hosts for testing and try again.

Re: Inter-VLAN Routing configuration in Firepower 1010

shotalezhava — Sat, 27 Mar 2021 17:33:59 GMT

icmp is allow i tried share folder but it is same

Re: Inter-VLAN Routing configuration in Firepower 1010

Rob Ingram — Sat, 27 Mar 2021 17:44:40 GMT

Right fine, but you are troubleshooting a problem with the FTD....you can easily eliminate that a potential issue by temporarily disabling the local firewall on the windows host and then test.

Aside from that, is the FTD the default gateway definately of the windows host?

Run the command "system support firewall-engine-debug" from the FTD CLI and filter on the ip address(es) you are testing with and then run some tests to generate some traffic.

You could also run packet capture on the windows host.

Re: Inter-VLAN Routing configuration in Firepower 1010

shotalezhava — Mon, 29 Mar 2021 11:04:26 GMT

it was windows firewall problem! thanks

FMC Disk Usage error

shotalezhava — Wed, 12 May 2021 21:29:01 GMT

hello i create HA and i have error Frequent drain of Archives & Cores & File Logs