Solved: Re: How to ping a subinterface on FTD - Page 2

cxu21 · ‎01-27-2025

We have a 1140 FTD managed by FMC, on the FTD, there is a paricular subinterface that required to be pingable.

We had the rule configured as below but none of the interface is pingable.

Is there anything we missed?

We do not need to ping all subinterface, only 1 is required to be able to ping

cxu21 · ‎01-28-2025

It is allowed in the trunk

MHM Cisco World · ‎01-28-2025

Your share config say opposite

interface Port-channel11
description To Primary
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk

interface GigabitEthernet1/0/24
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk
auto qos trust dscp
channel-group 11 mode active

cxu21 · ‎01-28-2025

sorry, that is just a demo, the real configuration allowed vlan 1

MHM Cisco World · ‎01-29-2025

So SW use vlan 99 or vlan 1 as native ?

If it use vlan1 use any unuse other vlan as native in trunk between SW and FPR.

MHM

MHM Cisco World · ‎01-29-2025

One more Q will help us to know issue

Are you PC connec to internal vlan with same subnet as subinterface????

If not then it by defualt not work and you can not change that

If Yes then check vlan native as I mention above

MHM

Aref Alsouqi · ‎01-28-2025

@Rob Ingram made a very good point. If you are trying to ping or reach an interface of the firewall coming from another that will not be allowed by design and no security rule will work around it. This behaviour was the same on Cisco ASA and it is still the same on the FTDs.

Marvin Rhoads · ‎01-29-2025

@cxu21 it is as my friend @Rob Ingram noted and @Aref Alsouqi already mentioned.

You cannot ever ping an interface (or subinterface) on an FTD or ASA device unless the traffic ingresses on that (sub)interface. No matter what platform (right place) or ACP (wrong place) or switchport trunk settings you use it will not work.

That is by design and has been that way since ASAs were known as Pix.