Re: Adding static ARP entry on NGFW

LincolnCounty · ‎12-05-2024

I am trying to figure out how to add a static ARP entry to the ARP table on my Cisco Firepower 1120. I'll admit I'm very new to this product line. I have two sites and I'm trying to create a VPN between them. My ISP allocated two addresses in the same network for these sites. Because of this they'll need some ARPing done to find each other. Any suggestions??

MHM Cisco World · ‎12-05-2024

https://community.cisco.com/t5/network-security/firepower-1010-static-arp/td-p/4596602

MHM

LincolnCounty · ‎12-05-2024

My GUI doesn’t have that exactly - I can click on Device along the top, this displays a summary and Interfaces has a section there and I click on View All Interfaces. Here I can click on an Edit button that is associated with the interface that I need to add the ARP entry. I have three menu items. IPv4, IPv6, and Advanced.

If I select Advanced I see nothing related to ARP. No ARP tab at all. Maybe I’m missing something. Perhaps my device is older or newer than these instructions. But I’m glad I’m not the first to ask the question!

My software version is 7.2.8-25. If that helps.

Marius Gunnerud · ‎12-06-2024

How are you managing the FTD? are you using FMC or FDM?

could you also explain the use-case for this. Normally you would be setting the static ARP on a switch and the FTD would be learning this dynamically from the switch.

--
Please remember to select a correct answer and rate helpful posts

LincolnCounty · ‎12-06-2024

And I would agree with you in more normal circumstances - of course you might be smarter than I am too. My situation is that I have a routable block of 30 IP Addresses that are on the same network, but their switching fabric belongs to my ISP. My ISP doesn't want to create entries for my devices. I need VPNs between various facilities each location accessible via one of these 30 IP addresses. Because they are on the same network they never hit a router. I have used ARPing these past 25 years to allow my VPNs to find each other. I suspect that there might be a better way to do this, but until I purchased this Cisco Firewall, I never imagined that adding a static ARP entry would be such an adventure.

Now as I am just a few days into owning this device some of the acronyms used are not in my wheelhouse just yet. I believe I’m using FDM since no cloud is in use. And to further illustrate my connection issue my firewall’s “outside” connection plugs directly into the ONT of my ISP, no switching gear in-between.

I’ll appreciate any feedback. I’m trying to determine if Cisco Firepower devices are a good fit for my network and if I can integrate with my existing firewalls.

Marius Gunnerud · ‎12-09-2024

How are you managing the FTD? Via FMC or FDM?

You could look into using Flexconfig to add the Cisco ASA CLI commands to the FTD. Though I have never tried it this should do what you are looking for.

arp outside 1.2.3.4 1111.2222.3333

--
Please remember to select a correct answer and rate helpful posts

LincolnCounty · ‎12-09-2024

I had assumed, incorrectly it turns out, that I was managing this device via FDM, I now believe that since I can login to the device via a web interface that I am using FMC. Which seems to be a very simplified interface. I actually I had used the SSL connection more, but I guess both are designed for simplified use.

The basics of the command you give are in-line with what I found in the ASA command list.

Unfortunately for me, I do not have the slightest idea how to configure the required Flexconfig Objects or Policy

None of the CLI commands I have tried function from CLI prompt on the webpage or via the SSL connection. Trying to get the device into into the proper mode is also confusing to me.