Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
5
Helpful
3
Replies

Using an FTD 5515-X in both a Routed Mode and Transparent mode at Same Time

Go to solution
Lucas Phelps
Level 5
Level 5

‎06-27-2018 06:58 AM - edited ‎02-21-2020 07:55 AM

I've got a Cisco 5515-X running the latest 6.2.3.2 FTD code.  I'd like to use 4 interfaces for Routed mode traffic to replace an aging ASA 5510 with the old code (DMZ, Inside, Outside, and Failover Interfaces).

 

I'd like to use the other remaining interfaces on the 5515-X FTD to do a simple bridged/transparent interface pair (in layer 2 mode) to just inspect internal traffic without any routing between different subnets.  I'd also like the ability to block traffic here, so I'm not sure a 'Passive' interface would work.  

 

Is it possible to accomplish this in any way on the same device?

 

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Lucas Phelps
Level 5
Level 5

‎06-29-2018 06:51 AM

I figured this out.  First of all, I configured the FTD appliance in 'Routed' mode rather than 'Transparent'.

 

Then I configured the first three interfaces:  1) Inside  2) Outside  3) DMZ

 

Then I created an Inline Set with interfaces 4 and 5.  An Inline Set is simply a layer 2 bump-in-the-wire with no ip addressing needed.  It simply passes traffic from one interface to the other and inspects on the fly.  The Inline Set doesn't do any kind of routing at all - It's simply a monitoring point for another flow of traffic on my network separate from the 3 interfaces above (Inside, Outside, DMZ).

 

When the interfaces are put into an Inline Set, it changes the mode on the interface from 'Routed' to 'Inline' to indicate the change.

View solution in original post

3 Replies 3

Go to solution
Lucas Phelps
Level 5
Level 5

‎06-29-2018 06:51 AM

I figured this out.  First of all, I configured the FTD appliance in 'Routed' mode rather than 'Transparent'.

 

Then I configured the first three interfaces:  1) Inside  2) Outside  3) DMZ

 

Then I created an Inline Set with interfaces 4 and 5.  An Inline Set is simply a layer 2 bump-in-the-wire with no ip addressing needed.  It simply passes traffic from one interface to the other and inspects on the fly.  The Inline Set doesn't do any kind of routing at all - It's simply a monitoring point for another flow of traffic on my network separate from the 3 interfaces above (Inside, Outside, DMZ).

 

When the interfaces are put into an Inline Set, it changes the mode on the interface from 'Routed' to 'Inline' to indicate the change.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Lucas Phelps

‎06-29-2018 08:34 AM

I thought that you could do as you figured out; but I wasn't certain and didn't have a spare unit handy to confirm it.

 

Thanks for sharing your results!

0 Helpful

Go to solution
Terry Grant
Level 1
Level 1
In response to Lucas Phelps

‎09-04-2018 10:52 AM

Lucas,

  I'm looking into this same use case, but using FTD 4110 hardware.  Does the inline set use the same access control policy as the routed interfaces?  How has it been working since your implementation?

 

Thanks,

Terry  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card