10-15-2021 03:23 AM
Hi,
Just a query on this.
We are upgrading from a 5505 to a firepoewer 2100 with ASA platform on it.
Basically i have migrated as much of the config as i can with a few minor amendments which wouldn't take in the new setup.
We swapped over to the new kit and the connections didn't work, was to do with the VLANs not getting through (only 2 vlans on the device)
we made a bridge group which encompassed our inside interfaces and assigned the internal Vlan which allowed us to communicate which was great, however our outside connection was not contactable.
All routes were the same and compared.
This is the first time have had to deal with the new Firepower devices so any help advise would be appreciated
below is an exert of the interfaces on the old device:
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Internal LAN
nameif inside
security-level 100
ip address 172.x.x.x 255.255.255.0
!
interface Vlan2
description Link to Internet
nameif outside
security-level 0
ip address 10.x.x.x 255.255.255.0
The new one had to add sub interfaces for the vlans but this didn't work until we removed and made a bridge group for the internal with the interfaces required for this.
10-15-2021 04:48 AM
A Firepower 2100 with ASA image would normally be used with routed interfaces assigned to physical ports - not with VLANs as you had on the 5505. So you would assign Ethernet 1/1 and 1/2 to match the addresses of VLAN 1 and 2 and name them inside an outside respectively.
You didn't say if you are using the switch ports on the 5505 for host computers. That would make a difference as well.
10-15-2021 05:17 AM
Hi
What i had done was add ethernet1/1.1 with the vlan information which matched the others.
When this happened there was no connections at all.
Ethernet 1 is internal with vlan 1
2 is outside with vlan 2
and 3 had our core DMZ (vlan 1 also) attached these are the only ports being used on the device
so 0 is now equal to 1/1
1 is 1/2
2 is 1/3
10-15-2021 05:29 AM
If you added Ethernet 1/1.1 then it would tag all traffic for VLAN 1 and require the adjacent switch interface be a trunk port vs. an access port.
I don't understand how VLAN1 is both your internal network and your DMZ.
10-15-2021 05:32 AM
hi,
Its not a true DMZ, its just called a DMZ in our systems all it does is pass the vlans from the router to the customer network.
We got the internal network working so we know how that works now
but the external for outside traffic is the issue now
10-15-2021 10:35 AM
For the external connection can you ping:
If that works then we can focus on traffic through the firewall.
10-15-2021 10:49 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide