Solved: Inter-VLAN Routing configuration in Firepower 1010

shotalezhava · ‎03-26-2021

hello i have 3 V LAN, hosts can ping their default gateway can connect to FM C but can not ping each other, on A C P i Allow everything, ft d can ping all hosts. what can be a problem?

Rob Ingram · ‎03-27-2021

The result of that packet-tracer output was an "allow", which means the traffic should be permitted by the FTD.

I suggest you disable the local firewall on the hosts for testing and try again.

View solution in original post

Rob Ingram · ‎03-26-2021

Hi @shotalezhava

Do you have sub-interfaces on the FTD?

Is the FTD the default gateway for each VLAN?

Do you have NAT exemption rules in place to ensure the inter-vlan traffic is not unintentially natted?

Please can you run packet-tracer from the CLI and provide the output for review. Example: packet-tracer input <interface> <protocol> <src ip> <src port> <dst ip> <dst port>

Provide some output of your FTD and switch configuration.

shotalezhava · ‎03-27-2021

sorry i do not know how to run paket-tracer from CLI, i have sub-interface, host can ping ftd and all vlan can connect to fmc. default gateway is correct on host it is ftd sub-interface ip.

Rob Ingram · ‎03-27-2021

@shotalezhava Run the following from the CLI of the FTD and provide the output:-

packet-tracer input managment icmp 192.168.77.11 8 0 192.168.10.10

Can the FTD ping a host in each of the vlans?

Does the host you are trying to ping (192.168.10.10) have a local firewall turned on that could be preventing a ping response?

shotalezhava · ‎03-27-2021

local firewall allow icmp Ipv4

shotalezhava · ‎03-27-2021

packet-tracer input managment icmp 192.168.77.11 8 0 192.168.10.10

Rob Ingram · ‎03-27-2021

The result of that packet-tracer output was an "allow", which means the traffic should be permitted by the FTD.

I suggest you disable the local firewall on the hosts for testing and try again.

shotalezhava · ‎03-27-2021

icmp is allow i tried share folder but it is same

Rob Ingram · ‎03-27-2021

Right fine, but you are troubleshooting a problem with the FTD....you can easily eliminate that a potential issue by temporarily disabling the local firewall on the windows host and then test.

Aside from that, is the FTD the default gateway definately of the windows host?

Run the command "system support firewall-engine-debug" from the FTD CLI and filter on the ip address(es) you are testing with and then run some tests to generate some traffic.

You could also run packet capture on the windows host.

shotalezhava · ‎03-29-2021

it was windows firewall problem! thanks

shotalezhava · ‎05-12-2021

hello i create HA and i have error Frequent drain of Archives & Cores & File Logs