12-22-2020 03:40 AM
Hi
I would like to configure inter-vlan routing in firepower(FMC) using VLAN sub interface.
I've created sub interfaces with separate VLAN ID on physical interface. And I've configure trunking port at the access switch side with appropriate gateway.
But the inter-vlan is still not working .
What do I need to do in Firepower (FMC) in order to work inter-vlan routing?
Thank you so much all!
Solved! Go to Solution.
12-22-2020 08:56 AM - edited 12-22-2020 09:01 AM
You don't have any interfaces configured in vlan11 or vlan12 on the switch, so I can only assume you are pinging vlan11 and vlan12 interfaces on the FTD from the switch itself which would be from vlan 10. Which as explained above will not work by design.
You need to connect some devices to the switch in vlan11 and vlan12 with a default gateway of the FTD and then ping "through" the FTD not "to" the FTD.
12-22-2020 09:22 AM
No that's incorrect. The FTD only responds to ICMP traffic sent to the interface that traffic comes in on (vlan10); you cannot send ICMP traffic through an interface to a far interface (vlan11 or vlan12), the same applied to ASA aswell. I stated test communication by pinging "through" the firewall not "to".
12-22-2020 03:48 AM
FTD is a more of zone-based firewall, and same-security-traffic required to achieve intra and inter interface communication. ACP rule is required to make this work
12-22-2020 07:45 AM
Hi,
I've also try with allow any Access Control Policy but the inter-vlan is still not working .
It was like I miss "ip routing" on core layer switch.
I have 3 vlans (vlan 10, 11,12) and only vlan 10 is pintable form access switch.
I also make sure " no ip routing" on access switch .But the inter-vlan on firepower still cannot work yet.
Do I need to miss out something in firepower ??
12-22-2020 08:44 AM - edited 12-22-2020 08:45 AM
Do you have NAT exemption rules setup, without them traffic could unintentially be natted.
If you ping the vlan10 ip address of the FTD from the access switch you would only expect to get a response from vlan10, you cannot be connected to one FTD interface (FTD vlan10) and ping through the FTD to the FTD's far interface (FTD vlan11), this would be denied - by design. You would need to ping through the FTD to a device connected to vlan11 (pc, printer etc). Obviously your ACP rules need to permit this.
Run packet-tracer from the CLI and provide the output for review.
Provide a screenshot of your ACP for this traffic.
Provide the output of "show nat detail"
12-22-2020 07:55 AM
Can you post the switch config to look, how you configured.
is the VLAN Layer3 on Switch or FTD ? or both the places ?
12-22-2020 08:47 AM - edited 12-22-2020 08:51 AM
12-22-2020 08:56 AM - edited 12-22-2020 09:01 AM
You don't have any interfaces configured in vlan11 or vlan12 on the switch, so I can only assume you are pinging vlan11 and vlan12 interfaces on the FTD from the switch itself which would be from vlan 10. Which as explained above will not work by design.
You need to connect some devices to the switch in vlan11 and vlan12 with a default gateway of the FTD and then ping "through" the FTD not "to" the FTD.
12-22-2020 09:17 AM
Thank you for your suggestion but according to my understanding , I already have trunk port configured between switch and firepower. And I also configured allow any policy .So, it should be able to ping form vlan 10 to other vlan interfaces on FTD. That is what I usually configure in other firewalls and ASA.
But now, It is more like when we missed "ip routing" command on L3 switch.
12-22-2020 09:46 AM
I've assigned access port for VLAN 10, 11 and 12 .
Then I tried to ping from VLAN 10 client to VLAN 11 Client etc.
But still the same. Inter-vlan routing is not working.
12-22-2020 10:10 AM
So you've connect a client device to each vlan 10, 11 and 12 with the default gateway for the client devices as the local FTD vlan interface?
Can each client device ping their own local vlan interface IP address (default gateway)?
Do you have nat configured? If yes, you might need a nat exemption rule.
Run packet-tracer from the CLI of the FTD and provide the output for review.
12-22-2020 12:05 PM
Hi,
Yes, each client device can ping their own default gateway. And there is no NAT on firepower.
I have captured some packet
- each VLAN client to each respective gateway and
-VLAN10 Client to other VLAN Client
I'm capturing from my lab so the capture files may be somehow difficult to view.
Very sorry for that and thank you so much for helping me
12-22-2020 12:28 PM
Are you logging traffic in ACP rules? if so check the logs.
You can also run "system support firewall-engine-debug" command and filter on the source IP address of the computer you are running a ping from. Then run a ping, provide the output from that command.
Do the client devices you are running a ping to/from have a local firewall turned on that could block the ping response?
What was the output of packet-tracer?
12-22-2020 09:22 AM
No that's incorrect. The FTD only responds to ICMP traffic sent to the interface that traffic comes in on (vlan10); you cannot send ICMP traffic through an interface to a far interface (vlan11 or vlan12), the same applied to ASA aswell. I stated test communication by pinging "through" the firewall not "to".
12-23-2020 06:17 AM - edited 12-23-2020 06:22 AM
Thank you all for helping me to solve this issue . I reconfigure all sub-interface in firepower , create ACP Policy and try to ping from one vlan client to another vlan client and it's working !
03-26-2021 02:06 AM
hello i have same problem ACP is correct i allow everything but host can not ping. all network can connect to FMC, and ping default gateway. What was the problem?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide