https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457681#M1083238 <P>The moment the interface is in place and active, traffic should not be routed to outside any more. Without an allow rule, traffic should be dropped.</P> <P>Are the interfaces active? Do you see them on the CLI with "show interface ip brief", "show route"?</P> Tue, 31 Aug 2021 16:59:28 GMT Karsten Iwen 2021-08-31T16:59:28Z https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457658#M1083234 <P>Hello All.</P><P>&nbsp;</P><P>I have an FTD running 6.6.4. - the current interface config:</P><P><EM>1. Inside Zone - Interface 10.10.10.1 (network 10.10.0.0)</EM></P><P><EM>2. Outside Zone - Interface 10.20.20.248 (network 10.20.20.0)</EM></P><P><EM>3. Route - any-ipv4, outside, global, 10.20.20.1, false, 1</EM></P><P>&nbsp;</P><P>Need to add two more interfaces:</P><P><EM>1. DMZ Zone - Interface 10.40.40.254 (network 10.40.40.0)</EM></P><P><EM>2. DMZ Zone - Interface 10.50.50.254 (network 10.50.50.0)</EM></P><P>3. I need routes that will allow data from my inside zone (network 10.10.0.0) to these networks (10.40.40.0 and 10.50.50.0) also.</P><P>&nbsp;</P><P><EM><STRONG>&nbsp;<U>What would my routes be? I do not have a spare to test with, so I am worried that I will block myself by adding a incorrect route.&nbsp;</U></STRONG></EM></P><P>&nbsp;</P><P><EM><STRONG>Any help would be greatly&nbsp;<SPAN>appreciated.</SPAN></STRONG></EM></P> Tue, 31 Aug 2021 16:35:04 GMT https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457658#M1083234 t3chH0und 2021-08-31T16:35:04Z https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457663#M1083236 <P>You don't need any additional routes. The firewall is aware of these networks when it has an IP in that new net. But you need to allow this communication in your security-policy.</P> Tue, 31 Aug 2021 16:44:17 GMT https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457663#M1083236 Karsten Iwen 2021-08-31T16:44:17Z https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457672#M1083237 Thank you. I added the interfaces; however, a traceroute to the 10.40.40.0 or 10.50.50.0 networks stills routes to the outside interface, not the new interfaces. When that happened, I assumed I needed a new static route. So by allowing in my policy, the date should route to the new interfaces?<BR /> Tue, 31 Aug 2021 16:50:37 GMT https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457672#M1083237 t3chH0und 2021-08-31T16:50:37Z https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457681#M1083238 <P>The moment the interface is in place and active, traffic should not be routed to outside any more. Without an allow rule, traffic should be dropped.</P> <P>Are the interfaces active? Do you see them on the CLI with "show interface ip brief", "show route"?</P> Tue, 31 Aug 2021 16:59:28 GMT https://community.cisco.com/t5/network-security/static-routes-for-ftd-three-sperate-interfaces/m-p/4457681#M1083238 Karsten Iwen 2021-08-31T16:59:28Z