Solved: Re: FDM Routing Between Networks on Different Interfaces

thediscountgeeks · ‎01-18-2022

I have a firepower 1010 managed with FDM. I have a default config with routed interfaces. Shouldnt the interfaces route between each other by default if they are in the same security zone? The only think i can think of is that I have my fiber modem in passthru mode and it assigns the WAN ip by DHCP but its a WAN gateway so it cant route my internal IPV4?

Rob Ingram · ‎01-24-2022

@thediscountgeeks correct, the router would behave differently and would allow the ping. You have a security device, both the FTD or ASA will not allow the ping through the device to one of it's local interfaces.

You inital issue is resolved now?

View solution in original post

Marvin Rhoads · ‎01-19-2022

Your default ACP rule is to block. So unless the traffic is explicitly allowed in an earlier rule it will not be allowed.

You didn't share the interface-one mapping but the rules you have do not appear at first glance to cover all of the many interfaces you have configured.

You can always confirm a given flow's behavior from the cli using the packet-tracer command.

thediscountgeeks · ‎01-20-2022

I'm still scratching my head, I thought this worked out of the box. I have attached my config if you can take a look. im just trying to get from 192.168.1.0/24 to 192.168.2.0/24

Rob Ingram · ‎01-21-2022

@thediscountgeeks are both interfaces in the inside_zone? - if not the traffic won't match your ACP rules. You'll probably need a Twice NAT/NAT exemption rule between those networks to ensure the traffic is not unintentially translated. As previously suggested you can run packet-tracer to determine more information about the traffic flow.

thediscountgeeks · ‎01-21-2022

yes, they are all in the inside zone together. I think this Firepower 1010 is fried because now the ports wont even light up after letting it boot overnight. I reset it and still nothing. This all transpired a few hours after I upgraded the software to the latest version, lesson learned. Additionally, packet tracer does not work on this unit.

Rob Ingram · ‎01-21-2022

@thediscountgeeks so what error do you get when you run packet-tracer from the cli?

You've enabled the interfaces in fdm?

thediscountgeeks · ‎01-21-2022

I was getting something like command not supported, the unit is down ATM
otherwise I would screenshot.

Yes the interfaces were enabled and giving out IP's

Rob Ingram · ‎01-21-2022

@thediscountgeeks so if the interfaces are giving out ips, the interfaces are working?....just no lights?

Regardless you'll probably need a NAT exemption rule as previously mentioned, to ensure traffic is not unintentially franslated.

The command starts "packet-tracer", its always been available in FTD image.

thediscountgeeks · ‎01-21-2022

no, after the lights stopped working, its also stopped giving out IP's with
my old config or the factory reset configuration. I opened a TAC case so I
will see how that turns out.

Ill read up on the NAT exemption

Ill send you that packet tracer command if I get it again