Re: Need Assistance with FTD Connectivity to Router

damori.pierce · ‎01-26-2025

I have a setup that I need help connecting.
I got a cisco router and cisco FTD firewall

I’m having trouble connecting them.
the router needs to talk to the FW. It has a static route to the interface of the firewall
the firewall has a single “Allow All” rule for now.

The FW also has a single static route that goes to the outside internet (0.0.0.0 0.0.0.0 10.10.10.10) and a single NAT rule that translates the inside interface to the outside interface.

On the router there is static routes for the outside world (0.0.0.0 0.0.0.0 10.10.10.10) and static routes for the sub-interfaces.

I can ping from my connected computer (it is on a L2 SW connected to port 1 of the router) across to port 1 of the FW but that’s as far as I can get.

I can ping from the FW to port 2 on the router, but I can not ping from the FW to port 1 on the router.

Everything looks right, but i obviously missed something.

MHM Cisco World · ‎01-26-2025

ISP-wan-FTD-Link1-Router

FTD must have default route to ISP using Wan IP

Router must have default route to ftd using link1 IP,

İ see you use same next-hop in both defual route

Also ftd need route to subnet connect to router

MHM

damori.pierce · ‎01-26-2025

Ok I’m about to try that now.

do I need to direct the internal interface to the next hop?

basically:

ip route [internal interface/24] [ISP]

or

ip route [external interface/24] [ISP]

and vise versa to route into the network?

hope that makes sense.

MHM Cisco World · ‎01-26-2025

ISP-wan-FTD-Link1-Router-LAN

Let me list route you need here

FTD

Route 0.0.0.0 0.0.0.0 WAN

Route <LAN> link1

Router

Ip route 0.0.0.0 0.0.0.0 link1

NAT FTD

LAN to WAN

ACL FTD

From LAN to WAN allow

MHM

liviu.gheorghe · ‎01-26-2025

It seems you are missing some static routes on the FW like @MHM Cisco World mentioned. You need to configure static routes on the FW to the connected networks configured on the router:

ip route x.y.z.0 255.255.255.0 <router IP on Link1>

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

damori.pierce · ‎01-26-2025

Check reply to MHM

liviu.gheorghe · ‎01-26-2025

Let's assume the link between FW and router has subnet 10.1.1.0/24 assigned, with the router being 10.1.1.1/24 and FW being 10.1.1.2/24.

Let's also assume that your internal interface on the FW - the one connected to the router - is named inside.

Now if you have another network for example 192.168.1.0/24 connected to the router, then you should configure the following static route on the FW in order to get connectivity from the FW to the 192.168.1.0/24 network:

route inside 192.168.1.0 255.255.255.0 10.1.1.1

You will have to add on the FW all networks that sit behind the router in the way described earlier.

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

liviu.gheorghe · ‎01-26-2025

If you are configuring the FW using FDM GUI, here is a link with the necessary info for static route configuration:

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221611-htz-01-2024-configure-static-routes-wit.html

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

Aref Alsouqi · ‎01-26-2025

Could you please share your sanitized configs of the firewall and the router and a draft diagram showing how all these devices are connected together for review?

damori.pierce · ‎01-26-2025

This is the best I can do without getting into too much detail