04-19-2024 08:11 AM
My network endpoints use the IP addressed vlans on my core cisco layer three core switch as their gateway addresses. i.e.- vlan 11 endpoint address 192.168.11.3/24 with gateway 192.168.11.1/24 (vlan ip on core) and vlan 12 endpoint address 192.168.12.3/24 with gateway 192.168.12.1/24 (vlan ip on core). These vlans are then interconnected. I am attempting to create a path to the internet using the gateway of last resort out of the switch 0.0.0.0 0.0.0.0 10.2.2.1. 10.2.2.1, security zone "InsideTrunk," is the address of a physical inside interface on my Firepower 2130. I have created Access control policies to allow 192.168.11.0/24 and 192.168.12.0/24 from "InsideTrunk" to Outside on the Firepower. Also, the proper auto NATs for both subnets have been created. The endpoints are unable to reach the internet. All I am trying to do is create a transport network. Does anyone have an idea of what I am missing? I have attached the trunk config from the core switch.
Solved! Go to Solution.
04-25-2024 11:24 AM
Things can be done differently in multiple ways. Configuring routed interfaces on the switches is not common, in fact, some of the switches might not support it neither. I think what I suggested is just a simple common solution that meets @jreynolds4 requirements.
04-19-2024 09:25 AM
You have mentioned the default route point to 0.0.0.0 0.0.0.0 10.2.2.1
so is the 10.2.2.1 is inside interface FTD ?
what is the core side IP address for the same network ?
Does FTD can reach Core network trasit IP or VLAN ?
how are you managing FTD FMC or FDM
look at the below guide for basic help :
FDM i use virtual should help you understanding to reach internet :
https://www.balajibandi.com/?p=1855
04-23-2024 09:48 AM
Sorry for the delay. A whole lot going on right now.
so is the 10.2.2.1 is inside interface FTD ? - YES
what is the core side IP address for the same network ? YES below is from firepower to SW
> ping 10.2.2.2
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
I am using FMC
04-19-2024 09:53 AM
Hello,
post the running config of the core switch. Can the Firepower ping the core switch (and vice versa, can the core switch ping 10.2.2.1 ?
04-23-2024 09:51 AM
Yes, the switch and firepower can ping each other.
Elmo#show run
Building configuration...
Current configuration : 6719 bytes
!
! Last configuration change at 10:04:27 PDT Thu Apr 18 2024
! NVRAM config last updated at 09:28:33 PDT Wed Apr 17 2024
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
no platform punt-keepalive disable-kernel-core
!
hostname Elmo
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$iaR1$223Tvy/XabtO89QCjx3hO/
!
no aaa new-model
clock timezone PDT -8 0
clock summer-time PDT recurring
switch 1 provision ws-c3650-24ts
!
!
!
!
call-home
contact-email-addr jreynolds@willapa.net
no http secure server-identity-check
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
ip routing
!
ip name-server 172.27.4.11 172.27.5.245
ip domain name whh.local
!
!
!
no login on-success log
!
!
!
!
!
!
!
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-2670722759
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2670722759
revocation-check none
rsakeypair TP-self-signed-2670722759
!
!
crypto pki certificate chain TP-self-signed-2670722759
!
!
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
redundancy
mode sso
!
!
transceiver type all
monitoring
!
vlan 4
name MEwireless
!
vlan 10
name Isonas
!
vlan 11
name Meraki
!
vlan 12
name TrunkTest
!
vlan 13
name Transport
!
vlan 92
name EpsilonNine
!
vlan 172
name WHHPrimary
!
vlan 210
name rad-PACS
!
vlan 555
name MITELmngt
!
vlan 666
name GuestInternet
!
vlan 803
name SpaceLabs
!
vlan 804
name Telemetry
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 172
switchport mode dynamic desirable
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 210
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 210
!
interface GigabitEthernet1/0/5
switchport access vlan 210
!
interface GigabitEthernet1/0/6
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 210
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 210
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 210
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 172
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 172
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 172
switchport trunk native vlan 13
switchport trunk allowed vlan 11-13
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 172
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 210
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan4
no ip address
!
interface Vlan11
ip address 192.168.11.1 255.255.255.0
!
interface Vlan12
ip address 192.168.12.1 255.255.255.0
!
interface Vlan13
ip address 10.2.2.2 255.255.255.0
!
interface Vlan84
ip address 192.168.1.155 255.255.255.0
!
interface Vlan111
ip address 192.168.111.1 255.255.255.0
!
interface Vlan172
ip address 172.27.8.63 255.255.0.0
!
interface Vlan444
ip address 10.11.12.9 255.255.255.0
!
ip default-gateway 172.27.8.40
ip forward-protocol nd
ip http server
ip http secure-server
ip ftp username BACKUPadmin
ip ftp password B@ckUpDud3
ip route 0.0.0.0 0.0.0.0 192.168.196.155
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
password SwitchL0rd
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password SwitchL0rd
login
line vty 5 15
password SwitchL0rd
login
!
ntp server 172.27.4.11
!
!
!
!
!
!
04-23-2024 10:28 AM
Hello,
the 'ip default-gateway' command is unnecessary, since it is a layer 3 switch. Remove that line. Also, you have two default routes, what is the purpose of those ? Which one do you need (I assume the one pointing to the FTD) ? In short, remove the two lines below:
--> no ip default-gateway 172.27.8.40
ip forward-protocol nd
ip http server
ip http secure-server
ip ftp username BACKUPadmin
ip ftp password B@ckUpDud3
--> no ip route 0.0.0.0 0.0.0.0 192.168.196.155
ip route 0.0.0.0 0.0.0.0 10.2.2.1
04-23-2024 11:15 AM
Thank you. I got in such a rush I did not notice the second route. I will fix this and test.
04-20-2024 09:10 AM
how you config link between SW and FTD ?
MHM
04-23-2024 09:52 AM
via 802.1q trunk.
04-23-2024 11:12 AM
The inside "transit" port on the Firepower cannot be pinged from endpoints from either vlan. This tells me that I have messed up something on the trunk config of the switch. The trunk config is below
Elmo#show int gi1/0/21 trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/21 on 802.1q trunking 13
Port Vlans allowed on trunk
Gi1/0/21 11-13
Port Vlans allowed and active in management domain
Gi1/0/21 11-13
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/21 11-13
04-23-2024 11:24 AM
Host use SVI or interface of FW as GW?
MHM
04-23-2024 11:30 AM
04-23-2024 11:33 AM
That why you can not ping from FW to host'
FW send via vlan x and receive reply from vlan y this asymmetric is drop by FW.
You need to ping in fw using same vlan.
MHM
04-23-2024 11:46 AM
04-23-2024 12:09 PM
One additional note. I have more vlans than I have ports on my firewall. For this reason, I need to find a way to accomplish the inter-vlan and internet connection via the switch to a transport network. TAC was unable to help me. I am hoping that someone in the community can.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide