Re: VLANs not communicating to the internet

isoto · ‎08-04-2022

Hello. I need some help. I just setup a cisco firepower and setup vlans on there. I created the same vlans on the switch, but I cant get vlans to reach out to the internet. The native vlan 1 can, but not any of the others.

Rob Ingram · ‎08-04-2022

@isoto not enough information to help. Please provide the switch configuration of the interface connected to the firewall and screenshots of the relevant configuration of the VLANS and interfaces of the firewall.

Did you create NAT rules for each VLAN network?

isoto · ‎08-04-2022

Rob Ingram · ‎08-04-2022

@isoto create additional NAT rules from each source interface, i.e. src: vlan2 dst: outside

Or (not recommended) you could change the existing source from "inside" to "any" - though it's recommended to create rules for each source interface.

isoto · ‎08-04-2022

I setup port 47 as a trunk

IP_Cartel · ‎08-04-2022

make sure you have a returnable route to 192.168.x.x under the FTD and NAT/ACL.

isoto · ‎08-04-2022

so I can reach the internet on vlan 1, but not from any other vlan

IP_Cartel · ‎08-04-2022

do a sh ip route

isoto · ‎08-04-2022

IP_Cartel · ‎08-04-2022

on the Cisco FP. What do you have routes going back to the switch? You should have routes going back to the switch. You need something like this. You can send back all the RFC1918 addresses to the switch.

10.0.0.0/8 192.168.1.2

172.16.0.0/16 192.168.1.2

192.168.0.0/16 192.168.1.2

etc....

192.168.2.0 255.255.255.0 192.168.1.2 means 192.168.2.0/24 192.168.1.2

Reference this: https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01100100.html

isoto · ‎08-04-2022

I only have the one static route going to the outside internet. If I need to set the return route why do you believe that the 192.168.1.1 network can reach the internet. Is there a route built in that I am not seeing?

IP_Cartel · ‎08-04-2022

You need to have from the FP send back the routes to the RFC1918 addresses. In your case you are using 192.168.2.0, 192.168.3.0, and 192.18.95.0. Your NATS also need to allow these addresses out, but just for the sake of local ICMP work with the returnable routes to the switch. Send the RFC1918s back to the switch.

Once you get the replies with the local addresses then move onto the NAT rules.

isoto · ‎08-04-2022

The firewall has been able to ping the interfaces of the switch

and the nat rule i just changes to "any" to "outside" and I am still not able to reach the internet from the vlans other than vlan 1

isoto · ‎08-04-2022

Doesnt seem like i can create a static route for that those vlans

IP_Cartel · ‎08-04-2022

Do this:

Step 1	Choose Devices > Device Management, and edit the FTD device.
Step 2	Click Routing.
Step 3	Select Static Route.
Step 4	Click Add Routes. These are the 192.1668.x.x addresses
Step 5	Click IPv4
Step 6	Choose the Interface to which this static route applies. For transparent mode, choose a bridge group member interface name. INSIDE
Step 7	In the Available Network list, choose the destination network.
Step 8	In the Gateway or IPv6 Gateway field, enter or choose the gateway router which is the next hop for this route. You can provide an IP address or a Networks/Hosts object. SWITCH address