cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
230
Views
0
Helpful
4
Replies

FPR 3105- Migrating 2 Subnets in same zone

Dear Community,

We have 2 server subnets "vlan 130 -10.72.12.0/25" &  "vlan 140 -10.72.12.128/25" configured as SVIs on L3 switch. Both these vlans are working as a part of inter-vlan routing on L3 switch without any restrictions. Now as a part Segmentation project we need to configure L3 interfaces on FPR-3105(FTD image) interfaces to isolate the unwanted access from other vlans from Core Switch.

As we don't have exact communication required between servers configured on these 2 server vlans, can we create 2 different interface for the routing & keep them assigned under same security zone as "SRV". Will this enable these subnets to talk with each other without dropping any traffic between them?

 

2 Accepted Solutions

Accepted Solutions

Providing network diagrams of how the network is now and what you are trying to achieve will help us understand the situation better.

That being said, You can add the VLAN 130 and 140 to sub-interfaces on the FTD3105 and both of these can be members of the same security zone.  you would still need to allow the traffic between these two VLANs in access rules, this is not allowed by default even though they are in the same security zone.

To identify what ports are required between the server zones and from client to server zone for that matter, you can implement a firewall analyzer software such as AlgoSec and send firewall connection syslogs to it.  It will analyze the connections and provide information on how to start tightening up access rules that are too general.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Then the solution I provided in my previous post is correct.  The interfaces on the FTD can be in the same security zone but you still need to allow communication between the networks in access rules.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Providing network diagrams of how the network is now and what you are trying to achieve will help us understand the situation better.

That being said, You can add the VLAN 130 and 140 to sub-interfaces on the FTD3105 and both of these can be members of the same security zone.  you would still need to allow the traffic between these two VLANs in access rules, this is not allowed by default even though they are in the same security zone.

To identify what ports are required between the server zones and from client to server zone for that matter, you can implement a firewall analyzer software such as AlgoSec and send firewall connection syslogs to it.  It will analyze the connections and provide information on how to start tightening up access rules that are too general.

--
Please remember to select a correct answer and rate helpful posts

DIA.png

FIND DIAGRAM

Then the solution I provided in my previous post is correct.  The interfaces on the FTD can be in the same security zone but you still need to allow communication between the networks in access rules.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card