Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6053
Views
10
Helpful
3
Replies

Cisco Firepower running in VMWare Workstation - FTD not intercepting traffic.

crstephenson
Level 1
Level 1

‎08-30-2018 04:17 AM - edited ‎02-21-2020 08:10 AM

Hi,

 

I am currently setting up Firepower FTD in VMWare Workstation, and was hoping someone could possibly help me with an issue I am experiencing with the FTD not intercepting and blocking/allowing traffic?

 

A bit background:

 

I now have a paired FMC and FTD running on VMWare Workstation. The FTD has three virtual NICs, set up as follows:

 

Nic1 (Management) - Using VMNET2, which is configured in NAT mode within VMWare. FMC is configured to also use VMNET2 nic.

Nic2 (Outer) - Using the bridged option in VMware for this NIC. Has an IP address in the same range as office router.

Nic3 (Inner) - Using the bridged option in VMWare for this NIC. Has a 172.xx.xx.2 internal address. Virtual client desktop that I also built also uses the bridged NIC option with an IP address in the same network space, and is set with gateway of 172.xx.xx.2.

 

So, the problem that i am facing is that my virtual client PC can ping the inner interface of the FTD, but when I attempt to do a ping from the client desktop to the internet, it times out. I have created a blanket ACL on the FTD to allow all traffic outbound, from all networks, but it is still not working. What is strange, is that when i attempt the ping, nothing appears in the event/connection logs on the FMC.

 

I can confirm that the FTD can ping externally and has internet connectivity, so both outer and inner up and running, at least from an IP perspective at least.

 

To confirm, I am running VMWare Workstation 14.1.3 on Fedora 28, with firewalld disabled.

 

I have heard this might be something to do with promiscuous mode needing enabled? I am a total linux newbie, so really struggling and not sure how to do this, and/or whether my overall config is essesntially correct/incorrect. Can you please help or advise? 

 

Kind regards

 

Craig.

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-30-2018 05:34 AM

Yes your dataplane network adapters for the FTDv host need to have promiscuous mode enabled.

 

You do that this for the associated vSwitch as shown below:

 

ESXi vSwitch promiscuous mode.PNG

It's not a Linux thing per se - it's an ESXi setting.

 

https://kb.vmware.com/s/article/1004099?CoveoV2.CoveoLightningApex.getInitializationData=1&ui-force-components-controllers-hostConfig.HostConfig.getConfigData=1&r=2&other.KM_Utility.getArticleDetails=1&other.KM_Utility.getArticleMetadata=1&other.KM_U...

crstephenson
Level 1
Level 1
In response to Marvin Rhoads

‎08-30-2018 06:22 AM

Thanks, Marvin.

 

However, I'm not using ESXi. I'm using VMWare Workstation.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to crstephenson

‎08-30-2018 08:20 AM

For Vmware workstation yo need to edit a config file to enable promiscuous mode.

 

https://superuser.com/questions/1209497/how-do-you-enable-promiscuous-mode-in-vmware-workstation

 

However FTDv is NOT supported on VMWare workstation. Here's the support matrix:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_37873

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card