Firepower 1010

IgnatAndrei · ‎06-20-2022

Hello,

I have the following situation. We have at work a subnet (192.168.0.0/24) used by all equipment ( wifi devices, mng for switches, printers etc ) . We have a cisco firepower 1010 and a cisco sw. I created on ftd 1010 on interface Ethernet1/5 two subinterfaces ( vlan 10 with 192.168.10.0/24 subnet and vlan 20 with 192.168.20.0/24 subnet ) . I connected the ftd 1010 port 5 to the switch and the port on the switch i've configured it in trunk mode with vlan 10,20 . I've connected a pc in switch and set that port in access vlan 10 . The problem is that from that PC ( 192.168.10.20 ) i can ping the gateway but cannot ping a pc from the 192.168.0.0/24 subnet or viceversa. I've configured object "new_subnet" with 192.168.10.0/24 and policies where i've set allow from 192.168.0.0/24 subnet to 192.168.10.0/24 subnet and viceversa and still doesent work.

Rob Ingram · ‎06-20-2022

@IgnatAndrei it's possibly a NAT issue, assuming you've configured NAT to allow these networks to access the internet.

You will need to create NAT exemption rules between these networks, to ensure traffic is not translated. These NAT rules would be above your Auto NAT rules used for internet access.

In addition, you can run packet-tracer, this will provide more information as to where the issue lies.

IgnatAndrei · ‎06-20-2022

@Rob Ingram thx for the answer. Unfortunately i`m newbie with cisco firewalls, can you please guide me ? I've made a pic with the NAT menu. I don`t also understand what has to do NAT with inter-vlan routing. I cannot access the other vlan locally , i don't what to acces it from internet. I think the problem may be with the access list. But i've created rule and still doesent work.

Thx

Rob Ingram · ‎06-20-2022

@IgnatAndrei because traffic from one VLAN would be translated behind the FTD interface, unless configure not to.

I cannot see your rules behind to determine if they are conflicting, but you need to define Manual NAT rules as per the example below.

this rule ensures traffic between vlan5 and vlan6 networks are not translated.

Running packet-tracer as requested, would confirm the packet flow through the firewall and confirm my suspicion.

IgnatAndrei · ‎06-20-2022

I`ve attached some pictures to better understand the router configuration.

This in my subinterface configuration :

and this is subinterface config:

I want that from wifi_lan to access imprimante subnet. This is what i have when select add nat rule

I don`t know how to use packet tracer from cli

Rob Ingram · ‎06-20-2022

@IgnatAndrei

Manual NAT/ Static

Source interface: imprimante

Original source: 192.168.10.0

Translated source: 192.168.10.0

Destination interface: eq_management

Original destination: 192.168.20.0

Translated destination: 192.168.20.0

IgnatAndrei · ‎06-20-2022

I will ckeck tomorrow and see if it works. I also have other subnets configured on ethernet 2,3,4 on firepower and i cannot see any rule in nat and i can ping from one subnet to another. This rule is applyed only whem you create subinterfaces or is the default behavior that you have to implement ? If is that, then why other subnets can ping each other without any nat rule ? Thx

MHM Cisco World · ‎06-20-2022

You must make sure that the both VLAN in same Zone.

IgnatAndrei · ‎06-21-2022

@MHM Cisco World they are in the same Security zone and it does not work.

@Rob Ingram i want from wifi to imprimante . But i'm kind off affraid to create the rule to not break somethink...

IgnatAndrei · ‎06-21-2022

I mean is there a way to schedule a reboot if i make the rule and deploy and if something went wrong to reboot and perform a rollback to initial configuration ?

IgnatAndrei · ‎06-23-2022

Hello,

Any help please ?

thx