Re: Static Routes for FTD - Three sperate interfaces

t3chH0und · ‎08-31-2021

Hello All.

I have an FTD running 6.6.4. - the current interface config:

1. Inside Zone - Interface 10.10.10.1 (network 10.10.0.0)

2. Outside Zone - Interface 10.20.20.248 (network 10.20.20.0)

3. Route - any-ipv4, outside, global, 10.20.20.1, false, 1

Need to add two more interfaces:

1. DMZ Zone - Interface 10.40.40.254 (network 10.40.40.0)

2. DMZ Zone - Interface 10.50.50.254 (network 10.50.50.0)

3. I need routes that will allow data from my inside zone (network 10.10.0.0) to these networks (10.40.40.0 and 10.50.50.0) also.

What would my routes be? I do not have a spare to test with, so I am worried that I will block myself by adding a incorrect route.

Any help would be greatly appreciated.

Karsten Iwen · ‎08-31-2021

You don't need any additional routes. The firewall is aware of these networks when it has an IP in that new net. But you need to allow this communication in your security-policy.

t3chH0und · ‎08-31-2021

Thank you. I added the interfaces; however, a traceroute to the 10.40.40.0 or 10.50.50.0 networks stills routes to the outside interface, not the new interfaces. When that happened, I assumed I needed a new static route. So by allowing in my policy, the date should route to the new interfaces?

Karsten Iwen · ‎08-31-2021

The moment the interface is in place and active, traffic should not be routed to outside any more. Without an allow rule, traffic should be dropped.

Are the interfaces active? Do you see them on the CLI with "show interface ip brief", "show route"?