Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
10
Helpful
6
Replies

Passing Layer 3 Traffic Through Transparent Mode FTDv

Dia
Level 1
Level 1

‎01-24-2018 05:08 PM - edited ‎02-21-2020 07:12 AM

Hi All,

 

I am doing a new deployment of Virtual Firepower Thread Defense (FTDv) using ESXI and using ACI as bridge domain for my infrastructure.

 

My problem is the FTDv is running in Transparent mode between 2 routers and these routers will be running IBGP over different links one of them having the FTDv inline, BGP is not forming over this link so any Idea what could be the reason?

 

Regards

Labels:
0 Helpful
6 Replies 6

Dennis Mink
VIP Alumni
VIP Alumni

‎01-24-2018 06:18 PM

BGP requires TCP port 179 to be open between peers. check on your FW to see if this is allowed

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Dia
Level 1
Level 1
In response to Dennis Mink

‎01-24-2018 06:53 PM

I have a rule to permit any any 

0 Helpful

Karsten Iwen
VIP
VIP

‎01-24-2018 11:25 PM

Are you using BGP-authentication? Then you need a workaround:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy10017

Dia
Level 1
Level 1
In response to Karsten Iwen

‎01-28-2018 02:10 PM

Hi Karsten,

 

Thanks for your feedback that would help in later stage bu actually i am in the stage to establish the BGP without authentication between two BGP speaking routers peering with each other and no BGP running on FTD as it is Transparent.

 

Regards

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to Dia

‎03-13-2018 01:17 AM

Hi Dia,

 

I would suggest you change the firewal mode to routed from transparent.

Transparent is more of a headache. You can have the same inline processing of traffic using routed mode with inline pairs, without any need for a BVI interface with IP and so on.

 

Afterwards, you can create your own rules to permit TCP 179 between peers plus TCP option 19 for BGP authentication.

 

Thanks,

Octavian

0 Helpful

sbhadrav@cisco.com
Level 5
Level 5

‎03-12-2018 01:28 PM

In transparent mode of Firewall, you needs to create bridge groups to the vlans at both (in/out) side of firewall.

Example: Configuration on Inside/outside interfaces:

interface TenGigabitEthernet0/6

    vlan 20
    nameif inside
    bridge-group 1
    security-level 100

interface TenGigabitEthernet0/7

    vlan 30
    nameif outside
    bridge-group 1
    security-level 0

Now please configure "BVI" interface with one IP from the same IP Subnet for which you want to pass traffic through firewall:


interface BVI1

ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10  (any free IP can be assigned from subnet)

Now, please allow interested traffic on ouside Interface via access-list. This will redirect traffic through transparent firewall.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card