Solved: How to route VLANs on Firepower 1010

EvanC75 · ‎10-04-2022

OK for the life of me, I cannot figure out how to route VLANs so that they have Internet access. Whether I choose Access or Trunk, I simply cannot get it to work. Online searches turned up absolutely nothing, not even the Cisco documentation could explain it.

I have my main Vlan1 (inside) which works fine. I am trying to create Vlan10 and Vlan 20. Testing Vlan10 for now which is assigned 10.0.10.1/27. I created a DHCP server for it so when I connect to the port for it, in this case, Ethernet 1/6, I get a DHCP lease and the OpenDNS servers. However, I cannot reach the internet.

My goal is to have these Vlans access the Internet without being able to access the other Vlans. The documentation does not clearly explain how to do this so I am at a loss. I have a call scheduled with TAC tomorrow on another matter but wanted to see if anyone knew how to do this in the mean time.

I am using the web interface for now since I am less than novice on the CLI. i.e. I don't know how to use it. This is for a lab so not production, for now I am trying to learn the product. I am using software 7.2.1-40.

Regards.

Marvin Rhoads · ‎10-04-2022

A VLAN interface needs an IP address (which you apparently have), access control policy rule(s) (otherwise it hits the default -0 usually deny all) and a NAT (usually a dynamic NAT to the outside interface).

Can you check the second and third items in your case?

View solution in original post

Marvin Rhoads · ‎10-04-2022

A VLAN interface needs an IP address (which you apparently have), access control policy rule(s) (otherwise it hits the default -0 usually deny all) and a NAT (usually a dynamic NAT to the outside interface).

Can you check the second and third items in your case?

EvanC75 · ‎10-04-2022

Thanks for the reply. Yes there is the default NAT and the default access control set which was created upon first setup.

Access Control:
Inside_Outside_Rule
Action: Trust
inside_zone > any network > any port >any sgt group
outside_zone > any network > any port > any sgt group

NAT:
InsideOutsideNatRule
Manual NAT
Status Enabled
Placement: Before Auto NAT Rules
Type Dynamic
Source interface: inside
Source address: any-ipv4
Source port, Destination address and destination port set to any.

Destination interface: outside
source address: interface
Source port, Destination address and destination port set to any.

Regards.

EvanC75 · ‎10-04-2022

Wow, I got it! Thanks for the clue on access control and nat. I was missing the security zone and the nat interface. Vlan was for my wifi so I created a wifi security zone and created a new access control rule for that zone to allow it to the outside zone. Then I created a new dynamic nat rule for the wifi interface to translate to the outside interface. After deploying it finally worked! That was an adventure.

Regards.

chris0754 · ‎02-09-2025

So I have a similar question.

I have a Cisco Firepower 1010 that I am trying to connect to a ubiquiti network switch that is configured for 3 vlans, default 1, 120 and 130. I have configured the same vlans on the Cisco Firepower 1010 and have setup DHCP servers for each vlan. I have created Objects for each network for the vlans. Vlan 1 172.16.1.0/24, Vlan 120 172.16.2.0/24, Vlan 130 172.16.3.0/24. I have created Security Zones for each Vlan, mode Routed, Interface is the vlan. I have created Access Control (Inside to outside for each vlan, based on the above instructions from EvanC75. I have created dynamic NAT's for each vlan as listed above from EvanC75.

On the 1010 I set the Ethernet 1/3 Sqitch Port as VLAN Trunk, Native Vlan1, and Associated VLAN's 1, 120 and 130.

When I connect interface1/3 to the ubiquity switch with a patch cord, when I connect my laptop with a patch cord to a port on the ubiquiti switch, I get a DHCP address from the Cisco 1010 for the correct vlan network. I have tested all 3 vlans by moving my patch cord to different ports on the switch assigned untagged vlan1, 120, 130, this all works properly. 1 have inerface 1/2 on the Cisco switch configured as access, assigned to Vlan 1. When I connect my laptop with a patch cord to interface 1/2 on the 1010, I get a DHCP IP address that is correct for Vlan 1, and I can ping devices connected to ubiquiti switch to untagged vlan1 ports. I can also ping the default gateway for the vlan, and get to the internet. The devices on the ubiquiti switch are able to get DHCP addresses for the correct vlan1 and are able to ping my laptop connected on interface 1/2 on the 1010, but they can not ping the default gateway or get to the internet. On the 1010 CLI Console I can ping my laptop on interface 1/2 (vlan1), but I am not able to ping any devices connected to the ubiquiti switch on vlan1 connected to interface 1/3 on the 1010. This is also true for vlan 120, and 130. I cant seem to figure out what I am doing wrong? Any help would be appreciated.

EvanC75 · ‎02-09-2025

Unfortunately, I cannot help you on that. Even after all this time, I am still very much a Novice at this and cannot do critical thinking very well in my old age. Replying to this existing topic won't get much attention, might I suggest creating a new forum post so that more eyes can see it.

Regards.