Solved: Cannot access FTD management Interface

Chess Norris · ‎10-03-2020

In my lab, I previously had my FTD management interface on the same subnet as my inside network. The inside network is using the FTD Inside interface as gateway and everything was working without any issues.

I recently created a separate management network and configured a VLAN interface (SVI)on my 3560 switch and reconfigured the FTD management interface with an IP address on this network and using the management SVI as gateway.

However I now have have an issue reaching the management interface on the FTD from the Inside network.

If I create an additional sub interface on the FTD on the same management network I can reach the FTD, but is this really necessary?

Would appreciate some guidelines on how to configure the FTD, so that I can access the management from my inside network.

Inside network is 10.46.1.0/24 and management network is 172.16.1.0/24.

Thanks

/Chess

Rob Ingram · ‎10-03-2020

As the traffic is being routed to the firewall you will need to ensure you are permitting the traffic, have you permitted traffic from 10.46.0.0 to 172.16.1.0? Troubleshoot using "system firewall-engine-debug"

View solution in original post

Rob Ingram · ‎10-03-2020

Hi @Chess Norris

What is the default gateway of devices connected to the inside network, the FTD or the switch itself? If it's the FTD, that would need a route to the management network to route the traffic back to the switch.

HTH

Chess Norris · ‎10-03-2020

Hello @Rob Ingram

Yes the FTD is default gateway for the Inside network.

So I would need a static route on the FTD pointing to the switch?

It looks like I cannot add a route using the management interface on the FTD or do you mean I should add a route using the FTD Inside interface pointing to the switch?

Thanks

/Chess

Rob Ingram · ‎10-03-2020

Traffic is sourced from the inside network would be routed to the FTD's inside interface and would need to be routed back via the FTD's inside interface to the SVI, which (if ip routing is enabled) would route the traffic to the management interface. That's not great from a routing point of view, but it will work.

HTH

Chess Norris · ‎10-03-2020

Really appreciate the help, but something still isn't working.

Here's the configuration so far:
Inside network: 10.46.0.0/24
Management Network: 172.16.1.0/24

Switch configuration:
!
ip routing
!
interface Vlan2
description ***INSIDE***
ip address 10.46.0.16 255.255.255.0
no ip mroute-cache
!
interface Vlan13
description ***MGMT***
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface GigabitEthernet0/1
description ***FTD-01 (MGMT)***
switchport access vlan 13
switchport mode access
spanning-tree portfast edge
!
ip route 0.0.0.0 0.0.0.0 10.46.0.1

FTD config

==================[ management0 ]===================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 5C:5A:C7:CF:66:80
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 172.16.1.10
Netmask : 255.255.255.0
Gateway : 172.16.1.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
!
interface Vlan2
nameif INSIDE
security-level 0
ip address 10.46.0.1 255.255.255.0
!
route INSIDE 172.16.1.0 255.255.255.0 10.46.0.16 1

Thanks
/Chess

Rob Ingram · ‎10-03-2020

As the traffic is being routed to the firewall you will need to ensure you are permitting the traffic, have you permitted traffic from 10.46.0.0 to 172.16.1.0? Troubleshoot using "system firewall-engine-debug"

Chess Norris · ‎10-03-2020

Thanks, It was the zones in the ACP that was wrong. Since the traffic both enter and exit the inside, I needed to use the inside zone as both source and destination.

/Chess