cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1495
Views
10
Helpful
9
Replies

configure DMZ on FDM-FTD 5516

PenielIpo3099
Level 1
Level 1

This is my scenario:

I am trying to move the webserver, ntp server, and some other internet-based servers to DMZ. I have re-imaged ASA to FTD, managed by FDM. I have some knowledge on configuring using cli, however, not much on FDM. I have configured a new interface on the FDM, created a security Zone for DMZ, access list, NAT yet to. I understand that security level for inside interface is 100, outside is 0, DMz should be 50. I have a 9200L switch to connect to FTD. My problem is HOW CAN I CONFIGURE BOTH FDM AND SWITCH TO ALLOW COMMUNICATION TO EACH OTHER?? 

Any idea given should be highly appreciated. Please assist. 

9 Replies 9

The FTD doesn't work with security levels. Instead the interfaces get security zones which are used for example in your Access-Control policy. It is a different way to control traffic compared to the ASA.

Thanks, i understand that. However, my question is different-i am struggling to get communication from from switch to the FDM. I have configured FDM interface but not sure. This is what i did on both fdm and switch:

FDM: interface 1/6 -no ip address, created subinterface with ip address 192.168.50.2, vlan 50, 

switch: int 1/0/24 

interface FastEthernet0/24

 description Connection Primary RG_FTD

 duplex half

 speed 10

vlan 1

int vlan 192.168.50.2

i am not sure if i am correct

 

 

By default the FDM is only accessible through the Management-Port. I would leave it this way as it is much simpler than the access on a data interface. And your config is conceptional wrong:

  • If you have a sub interface in the FTD, you need a Trunk and a VLAN interface in the same VLAN on the switch.
  • Both devices are not allowed to share the same IP
  • Any why do you have 17/half?

But if you want to go that way, you need at least version 6.7 on the FTD. And need to configure this in the FDM Manager access options.

Can you assist with how to configure switch and firewall for this to work? FDM ftd is 5516 and switch is 9200L. 

You said you setup your port fa0/24 with 10 Mbps speed and half duplex. I believe Catalyst 9200 ports are all Gigabit Ethernet. Auto speed and duplex are the defaults and should be used in that case. Also, it should be a trunk interface ("switchport mode trunk") in order to understand the 802.1q encapsulation your firewall will be using for subinterfaces.

And, as @Karsten Iwen noted all devices require unique IP addresses. Both cannot be 192.168.50.2

Thanks Marvin. I removed ip on the interface and added a subinterface and entered only one ip address with the vlan ID corresponding to the one i created in the DMZ switch and did trunking on the switch to successfully communicate between the devices. 

ONLY ONE PROBLEM LEFT: HOW CAN I CONFIGURE SUCH THAT INSIDE ZONE CAN COMMUNICATE WITH THE DMZ SWITH? I create access list on the FDM? I would like to use a PC on the inside network and configure DMZ using SSH. How can i go about with this? YOUR RESPONE IS SO FAR HELPFUL. 

Assuming your default policy is to deny all then yes, you would need a new Access control rule to allow inside to dmz over tcp/22 (ssh).

You would also need routing on your inside network to point to the firewall for the DMZ subnet (if the default route doesn't already do so).

From the isnide network's Core Switch, i can ping the firewall but not DMZ ip for interface nor switch. so do i create a ip route on the core switch?

You cannot ping the DMZ network interface from anywhere other than a network connected to that interface (directly or downstream via the DMZ subnet). That is by design.

Pinging an IP address on the DMZ switch (assuming the address is in the DMZ subnet) should be possible as long as there is not any Access Control Policy rule preventing it and you are inspecting icmp traffic (default behavior in all recent FTD releases).

Answering your question about routing would require you provide information o the current routing setup which you have not done at this point.

Review Cisco Networking for a $25 gift card