Solved: Re: FP1010 with internal router

lcaruso · ‎12-10-2022

Curious if anyone has managed to get FP1010 working with anything other than a flat internal, L2-only network.

I noticed in the CiscoLive BRK-SEC 2020 document for the Firepower 1000 series the statement that "Management interfaces can be placed on the same subnets as data interfaces."

I am now taking that suggestion as an indication that nothing else will work because everything I have tried does not work with FMC.

I need the ability to provision the management network and the data networks separately and manage the device with FMC.

Rob Ingram · ‎12-11-2022

@lcaruso follow this cisco guide.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html

https://m.youtube.com/watch?v=v_uZ9GbICBk

View solution in original post

Rob Ingram · ‎12-11-2022

@lcaruso yes this works, what have you tried? What issues do you encounter?

Please provide screenshots of the configuration of your interfaces, topology diagram, switch configuration, routing information etc.

lcaruso · ‎12-11-2022

If anyone can provide their configuration for the FP1010 requirement that management1/1 has to be directly cabled to a data interface, that would be great. I have tried multiple designs with and without the direct cabling, with and without L3 between those two ports, and I cannot make it happy.

Rob Ingram · ‎12-11-2022

@lcaruso follow this cisco guide.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html

https://m.youtube.com/watch?v=v_uZ9GbICBk

lcaruso · ‎12-11-2022

This was the FMC registration error with FMC and FTD ports directly connected to the same internal VLan.

lcaruso · ‎12-11-2022

Rob,

Two questions if you would be so kind to clear this up for me because I could not get this config working.

Is this not a valid config for the FP1010?

my managment1/1 port at 10.6.6.2/24
my management1/1 gateway on a data port Eth1/6, routed 10.6.6.1/24
both of those ports connected to a L3 switch in the same L3 vlan SVI 10.6.6.3/24
my fmc connected to the same L3 switch and vlan at 10.6.6.4/24
my internal network traffic on Eth1/2 on a different vlan

Then, if my OOB Gateway is a data port,

how do I set the system for this per the output below showing it is not currently set as such?

bFTD /fabric-interconnect # show detail

Fire Power:
ID: A
Product Name: Cisco FPR 1010
PID: FPR-1010
VID: V01
Vendor: Cisco Systems, Inc.
OOB IP Addr: 10.6.6.2
OOB Netmask: 255.255.255.0
OOB Gateway: 10.6.6.1
OOB Gateway Use DataPort: No
OOB Boot Proto: Static
OOB IPv6 Address: ::
Prefix: 64
OOB IPv6 Gateway: ::
OOB IPv6 Gateway Use DataPort: No
IPv6 Boot Proto: Static
DHCPD Admin State: DHCP Server Disabled
Operability: Operable
Thermal Status: N/A
Current Task 1:
Current Task 2:
Current Task 3:
Current Task 4:
bFTD /fabric-interconnect #

lcaruso · ‎12-11-2022

Might have just found the problem. The FP1010 does not add a connected route for an interface until you create a zone even though the interface was defined, addressed, and up. I was checking the routing table and could not see the connected route, so then I compared notes because it had a connected route for the default inside and the dhcp outside. Added the zone and the route magically appeared.

lcaruso · ‎12-11-2022

Hi Rob,

Thanks for your replies and for taking the time to consider. I will not have time to post the designs and configurations I have tried unfortunately given the amount of time lost.

Yes, there have been multiple issues. The FMC issues started with FMC otherwise reaching and managing the device just fine with the firewall in production, passing traffic--the only issue was a critical health alert that it could not reach the cloud.

I had TAC look at it for about three hours and they claimed my topology was not following published requirements, so I tried changing the network design and firewall configuration to meet those requirements.

I ended up reimaging due to a platform policy that it would not release, as I wanted to remove that, for the functionality that was achieved previously was w/o this policy in place.

After reimaging and reconfiguring the unit the FMC could not register the firewall claiming a reachability issue even though it changed the name of the firewall in this failed attempt. So now I will reimage again and just use a flat network with vlan 1 enabled which I normally avoid due to common security practices.

So the plan now is to reimage, leave vlan 1 enabled, don't change anything about the default networking except the outside has to be routed and see where that gets me. I will change my internal network to a flat model with no L3 services.