cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16722
Views
20
Helpful
17
Replies

Inter-VLAN Routing configuration in Firepower

SaintEvn
Level 1
Level 1

Hi

I would like to configure inter-vlan routing in firepower(FMC) using VLAN sub interface.

I've created sub interfaces with separate VLAN ID on physical interface. And I've configure trunking port at the access switch side with appropriate gateway.

But the inter-vlan is still not working .

What do I need to do in Firepower (FMC) in order to work inter-vlan routing?


Thank you so much all!

2 Accepted Solutions

Accepted Solutions

@SaintEvn 

You don't have any interfaces configured in vlan11 or vlan12 on the switch, so I can only assume you are pinging vlan11 and vlan12 interfaces on the FTD from the switch itself which would be from vlan 10. Which as explained above will not work by design.

 

You need to connect some devices to the switch in vlan11 and vlan12 with a default gateway of the FTD and then ping "through" the FTD not "to" the FTD.

View solution in original post

No that's incorrect. The FTD only responds to ICMP traffic sent to the interface that traffic comes in on (vlan10); you cannot send ICMP traffic through an interface to a far interface (vlan11 or vlan12), the same applied to ASA aswell. I stated test communication by pinging "through" the firewall not "to".

View solution in original post

17 Replies 17

balaji.bandi
Hall of Fame
Hall of Fame

FTD is a  more of zone-based firewall, and same-security-traffic  required to achieve intra and inter interface communication. ACP rule is required to make this work

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help


Hi,

I've also try with allow any Access Control Policy  but the inter-vlan is still not working .


It was like I miss "ip routing" on core layer switch.


I have 3 vlans (vlan 10, 11,12) and only vlan 10 is pintable form access switch.

 

I also make sure " no ip routing" on access switch .But the inter-vlan on firepower still cannot work yet.

Do I need to miss out something in firepower ??

@SaintEvn 

Do you have NAT exemption rules setup, without them traffic could unintentially be natted.

 

If you ping the vlan10 ip address of the FTD from the access switch you would only expect to get a response from vlan10, you cannot be connected to one FTD interface (FTD vlan10) and ping through the FTD to the FTD's far interface (FTD vlan11), this would be denied - by design. You would need to ping through the FTD to a device connected to vlan11 (pc, printer etc). Obviously your ACP rules need to permit this.

 

Run packet-tracer from the CLI and provide the output for review.

Provide a screenshot of your ACP for this traffic.

Provide the output of "show nat detail"

balaji.bandi
Hall of Fame
Hall of Fame

Can you post the switch config to look, how you configured.

 

is the VLAN Layer3  on Switch or FTD ? or both the places ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I've demonstrated a lab for my issue. Please help to review my configuration.

All the Layer3 VLANs are on firepower and switch as L2 only access switch.

Thank you so much

@SaintEvn 

You don't have any interfaces configured in vlan11 or vlan12 on the switch, so I can only assume you are pinging vlan11 and vlan12 interfaces on the FTD from the switch itself which would be from vlan 10. Which as explained above will not work by design.

 

You need to connect some devices to the switch in vlan11 and vlan12 with a default gateway of the FTD and then ping "through" the FTD not "to" the FTD.

Thank you for your suggestion but according to my understanding , I already have trunk port configured between switch and firepower. And I also configured allow any policy .So, it should be able to ping form vlan 10 to other vlan interfaces on FTD. That is what I usually configure in other firewalls and ASA.

 

But now, It is more like when we missed "ip routing" command on L3 switch.

 


I've assigned access port for VLAN 10, 11 and 12 .
Then I tried to ping from VLAN 10 client to VLAN 11 Client etc.
But still the same. Inter-vlan routing is not working.

So you've connect a client device to each vlan 10, 11 and 12 with the default gateway for the client devices as the local FTD vlan interface?

Can each client device ping their own local vlan interface IP address (default gateway)?

Do you have nat configured? If yes, you might need a nat exemption rule.

Run packet-tracer from the CLI of the FTD and provide the output for review.

Hi,

Yes, each client device can ping their own default gateway. And there is no NAT on firepower.

I have captured some packet
- each VLAN client to each respective gateway and
-VLAN10 Client to other VLAN Client

I'm capturing from my lab so the capture files may be somehow difficult to view.
Very sorry for that and thank you so much for helping me

 

Are you logging traffic in ACP rules? if so check the logs.

 

You can also run "system support firewall-engine-debug" command and filter on the source IP address of the computer you are running a ping from. Then run a ping, provide the output from that command.

 

Do the client devices you are running a ping to/from have a local firewall turned on that could block the ping response?

 

What was the output of packet-tracer?

No that's incorrect. The FTD only responds to ICMP traffic sent to the interface that traffic comes in on (vlan10); you cannot send ICMP traffic through an interface to a far interface (vlan11 or vlan12), the same applied to ASA aswell. I stated test communication by pinging "through" the firewall not "to".

SaintEvn
Level 1
Level 1

Thank you all for helping me to solve this issue . I reconfigure all sub-interface in firepower , create ACP Policy and try to ping from one vlan client to another vlan client  and it's working !

hello i have same problem ACP is correct i allow everything but host can not ping. all network can connect to FMC, and ping default gateway. What was the problem?

Review Cisco Networking for a $25 gift card