Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1523
Views
0
Helpful
3
Replies

How to route VLANs on Firepower 1010

Go to solution
EvanC75
Level 1
Level 1

‎10-04-2022 08:06 PM - edited ‎10-04-2022 08:08 PM

OK for the life of me, I cannot figure out how to route VLANs so that they have Internet access.  Whether I choose Access or Trunk, I simply cannot get it to work.  Online searches turned up absolutely nothing, not even the Cisco documentation could explain it.

I have my main Vlan1 (inside) which works fine.  I am trying to create Vlan10 and Vlan 20.  Testing Vlan10 for now which is assigned 10.0.10.1/27.  I created a DHCP server for it so when I connect to the port for it, in this case, Ethernet 1/6, I get a DHCP lease and the OpenDNS servers.  However, I cannot reach the internet.

My goal is to have these Vlans access the Internet without being able to access the other Vlans.  The documentation does not clearly explain how to do this so I am at a loss.  I have a call scheduled with TAC tomorrow on another matter but wanted to see if anyone knew how to do this in the mean time.

I am using the web interface for now since I am less than novice on the CLI.  i.e. I don't know how to use it.  This is for a lab so not production, for now I am trying to learn the product.  I am using software 7.2.1-40.

Regards.
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-04-2022 08:47 PM

A VLAN interface needs an IP address (which you apparently have), access control policy rule(s) (otherwise it hits the default -0 usually deny all) and a NAT (usually a dynamic NAT to the outside interface).

Can you check the second and third items in your case?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-04-2022 08:47 PM

A VLAN interface needs an IP address (which you apparently have), access control policy rule(s) (otherwise it hits the default -0 usually deny all) and a NAT (usually a dynamic NAT to the outside interface).

Can you check the second and third items in your case?

0 Helpful

Go to solution
EvanC75
Level 1
Level 1
In response to Marvin Rhoads

‎10-04-2022 08:55 PM

Thanks for the reply.  Yes there is the default NAT and the default access control set which was created upon first setup.

Access Control:
Inside_Outside_Rule
Action: Trust
inside_zone > any network > any port >any sgt group
outside_zone > any network > any port > any sgt group

NAT:
InsideOutsideNatRule
Manual NAT
Status  Enabled
Placement: Before Auto NAT Rules
Type Dynamic
Source interface:  inside
Source address: any-ipv4
Source port, Destination address and destination port set to any.

Destination interface:  outside
source address:  interface
Source port, Destination address and destination port set to any.

Regards.
0 Helpful

Go to solution
EvanC75
Level 1
Level 1
In response to Marvin Rhoads

‎10-04-2022 09:17 PM - edited ‎10-04-2022 09:18 PM

Wow, I got it!  Thanks for the clue on access control and nat.  I was missing the security zone and the nat interface.  Vlan was for my wifi so I created a wifi security zone and created a new access control rule for that zone to allow it to the outside zone.  Then I created a new dynamic nat rule for the wifi interface to translate to the outside interface.  After deploying it finally worked!  That was an adventure.

Regards.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card