topic Re: Firepower VLAN Routing in Network Security

Firepower VLAN Routing

walkers33752 — Wed, 28 Sep 2022 18:17:52 GMT

I have a network with multiple VLANS.

We recently got a FP1120 which has a connection out to the internet. This device is on VLAN 22. Internet access (and ICMP replies) work from any device on VLAN 22.

Internet access (and ICMP replies from FP) do not work on any other VLAN. Access control is set to any ipv4 right now for testing purposes.

hosts on VLAN 21 can ping and access every other host on VLAN 22.

Re: Firepower VLAN Routing

Rob Ingram — Wed, 28 Sep 2022 18:29:22 GMT

@walkers33752

I assume you've got a core switch with the VLANs defined? Have you configured a default route on the switch to route to the Firewall's inside interface IP address?

On the Firewall define a static route for the VLAN 21 network via next hop of the switch IP address (VLAN 22)

Create a Auto NAT rule configured on the Firewall to translate the VLAN 21 network behind the outside interface IP address.

Create a rule in the Access Control Policy to permit traffic from the VLAN 21 network to the internet

Re: Firepower VLAN Routing

Aref Alsouqi — Thu, 29 Sep 2022 08:43:12 GMT

If the endpoints on the other VLANs do not get any reply back from the FTD interface(s) then it would suggest there is some connectivity issues between the endpoints and the FTD. As @Rob Ingram suggested, I would check the routing between the firewall and the core switch. If there is no routing on the core switch, I would suggest the ACP rules to make sure this traffic is allowed.