cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2511
Views
5
Helpful
7
Replies

Cisco Firepower 1120 - Unable to ping or communicate VLAN SUBINTERFACE

wendalelotino
Level 1
Level 1

Hello community,

I am using Cisco Firepower 1120 Threat Defense (Software Version 7.0.1-84) using FDM to configure the device. I created a sub-interface vlans on ETH 1/2 (VLAN 5,6, and 7). I also configured DHCP on firepower 1120. For VLAN 5 its 10.69.70.x, for VLAN 6, it's 10.69.71.x, for VLAN 7 its 10.69.72.x. On Eth 1/2 of firepower, I have a Cisco CBS350 on it with its port configure as trunk. I have 3 computers connected on CBS350 switch with each of their respective connected ports assigned with access VLAN. 

Now my issue is I cannot ping the IP address and the default gateway of the computers from different VLANs.

For example:

Computer VLAN 5 - cannot ping the IP and default ip gateway of VLAN 6, and 7
Computer VLAN 6 - cannot ping the IP and default ip gateway of VLAN 5, and 7
Computer VLAN 7 - cannot ping the IP and default ip gateway of VLAN 5, and 6

Is there a way to resolve this issue? Maybe there's something lacking on my FDM configuration.

Answers are greatly appreciated. Thank you!

7 Replies 7

@wendalelotino a device connected to one FTD interface can only ping it's local FTD interface, it cannot ping through the FTD to another FTD interface - this is by design. It's the same behaviour as the ASA.

For testing you should test by pinging through the FTD to another device (you'd need an Access Control rule to permit this), rather than the FTD itself.

Hi sir,

May i know what the needed configuration on the access control policy? Thank you

you need to add an access control policy rule that allows ping to the other VLANs and then test by pinging a host on those VLANs.  As Rob as mentioned you can not ping an interface on the FTD firewall that is not the ingress interface.

--
Please remember to select a correct answer and rate helpful posts

T@wendalelotino to reiterate, you cannot ping an FTD interface when connected to another FTD interface, as per your initial request.

Computer VLAN 5 - cannot ping the IP ping IP and default ip gateway of VLAN 6, and 7
Computer VLAN 6 - cannot ping the IP ping IP and default ip gateway of VLAN 5, and 7
Computer VLAN 7 - cannot ping the IP ping IP and default ip gateway of VLAN 5, and 6

You can communicate through the FTD to communicate with the other VLANs, you just need firewall rules to permit the traffic

wendalelotino
Level 1
Level 1

Hello @Rob Ingram @Marius Gunnerud ,

I have managed to make it work by disabling the windows firewall on the computers and by creating an access policy by allowing all communications.

But I still have a problem, I cannot ping the default IP gateway of the VLAN from PC 1 TO PC 2. For example, PC 1 VLAN 5 cannot ping the default gateway of VLAN 6.

Here is the screenshot of my access control policy. 

1.PNG

2.PNG

@wendalelotino the FTD by design will only allow you to ping the local interface, so you cannot be connected to a PC on VLAN 5 and ping through the FTD to the FTD's interface IP address of VLAN 6.  That is by design.

@Rob Ingram I am 100% sure you are right but I think CBS350 is issue here, this SW have a lot of bug. 

Review Cisco Networking for a $25 gift card