Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
4
Helpful
9
Replies

2 Firepower 1120 Firewalls connected to a layer-2 switch

Go to solution
juandcc2014
Level 1
Level 1

‎02-28-2025 11:06 AM

Hello.

I am working 2 firepower 1120 firewalls, which are connected to a 5-port layer-2 switch through their "outside"(Ethernet1/1) interfaces, each with an IP address of the form 192.168.1.x with a subnet mask of 255.255.255.0. On that same switch, I have a computer with the same IP format of 192.168.1.x, 255.255.255.0, but no default gateway sepcified. The static routes for each firewall's "inside interface" is already set so that they can ping device beyond the "inside" interface. But I am not sure as to how to modify the firewall or the computer such that the computer connected to the switch is able to ping the devices on the "inside" interfaces of each of the 2 firewalls. Here is the network view:

 

juandcc2014_0-1740769151140.png

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
liviu.gheorghe
VIP
VIP

‎02-28-2025 12:21 PM

Hello @juandcc2014 ,

in order for the computer connected to the switch is able to ping the devices on the "inside" interfaces of each of the 2 firewalls, you have to configure a few thing on the firewalls:

1. configure a static NAT for a device on the inside to be visible on the outside with an IP address from 192.168.1.0/24 - for example host inside 172.32.2.22 will be NAT-ed to 192.168.1.22

2. configure an ACL on the firewalls permitting icmp traffic from 192.168.1.45 to 172.32.2.22

If the PC 192.168.1.45 wants to ping inside host 172.32.2.22, it will have to ping the NAT-ed IP address which is 192.168.1.22

HTH 

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

0 Helpful

Go to solution
liviu.gheorghe
VIP
VIP
In response to juandcc2014

‎03-01-2025 07:47 AM

@juandcc2014 wrote:

Let me see if I understand this:

I would need to use NAT so that there is a mapping of 1 "outside" (NAT-ed) IP address and 1 "inside" IP address. If this is correct, let me ask some questions:

Yes

- Would I need more NAT mappings if the amount of device on the "inside" network of the 2 firewalls were big? That is, 1 static NAT for every IP address of a device in the "inside" network of the 2 firewalls?

Yes, you need a static NAT for every inside host you want to access from the outside interface of the firewall

- Your solution seems very good. However, I am required to explicitly address the "inside" IP addresses rather than a NAT-ed 192.168... address. Is there a way for the PC in the "outside" interface to explicitly use the 172.21.32.22 address in its pings rather than the NAT-ed address of 192.168.1.22? 

If your requirement is to use the IP address of the inside hosts, then you will only need an ACL on the firewalls permitting icmp traffic from 192.168.1.45 to 172.32.2.0/24 and from 192.168.1.45 to 172.33.2.0/24. You will also need static routes on the PC to direct traffic for 172.32.2.0/24 to 192.168.1.25 and for 172.33.2.0/24 to 192.168.1.35.

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

9 Replies 9

Go to solution
liviu.gheorghe
VIP
VIP

‎02-28-2025 12:21 PM

Hello @juandcc2014 ,

in order for the computer connected to the switch is able to ping the devices on the "inside" interfaces of each of the 2 firewalls, you have to configure a few thing on the firewalls:

1. configure a static NAT for a device on the inside to be visible on the outside with an IP address from 192.168.1.0/24 - for example host inside 172.32.2.22 will be NAT-ed to 192.168.1.22

2. configure an ACL on the firewalls permitting icmp traffic from 192.168.1.45 to 172.32.2.22

If the PC 192.168.1.45 wants to ping inside host 172.32.2.22, it will have to ping the NAT-ed IP address which is 192.168.1.22

HTH 

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

Go to solution
juandcc2014
Level 1
Level 1
In response to liviu.gheorghe

‎02-28-2025 02:37 PM

So this NAT solution will work despite the computer not having a default gateway configured?

0 Helpful

Go to solution
liviu.gheorghe
VIP
VIP
In response to juandcc2014

‎02-28-2025 03:15 PM

Yes because you are ping-ing an address on the same subnet as the PC. The PC sees that the destination is the local subnet and it uses ARP for the destination MAC address. 

If the destination address would not be the local subnet, then the PC would need a default gateway configured.

Regards, LG
*** Please Rate All Helpful Responses ***

Go to solution
juandcc2014
Level 1
Level 1
In response to liviu.gheorghe

‎02-28-2025 05:53 PM

I have been doing some research, and found something about ARP Proxy. Is there a configuration for ARP Proxies on Firepower 1120?

Go to solution
liviu.gheorghe
VIP
VIP
In response to juandcc2014

‎03-01-2025 02:22 AM

If you use addresses on the same network as the destination (mapped) interface, like in your case with suggested static NAT configured, the FTD device uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the FTD device does not have to be the gateway for any additional networks.

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

Go to solution
juandcc2014
Level 1
Level 1
In response to liviu.gheorghe

‎03-01-2025 07:14 AM

Let me see if I understand this:

I would need to use NAT so that there is a mapping of 1 "outside" (NAT-ed) IP address and 1 "inside" IP address. If this is correct, let me ask some questions:

- Would I need more NAT mappings if the amount of device on the "inside" network of the 2 firewalls were big? That is, 1 static NAT for every IP address of a device in the "inside" network of the 2 firewalls?

- Your solution seems very good. However, I am required to explicitly address the "inside" IP addresses rather than a NAT-ed 192.168... address. Is there a way for the PC in the "outside" interface to explicitly use the 172.21.32.22 address in its pings rather than the NAT-ed address of 192.168.1.22? 

 

 

 

 

 

 

 

 

0 Helpful

Go to solution
liviu.gheorghe
VIP
VIP
In response to juandcc2014

‎03-01-2025 07:47 AM

@juandcc2014 wrote:

Let me see if I understand this:

I would need to use NAT so that there is a mapping of 1 "outside" (NAT-ed) IP address and 1 "inside" IP address. If this is correct, let me ask some questions:

Yes

- Would I need more NAT mappings if the amount of device on the "inside" network of the 2 firewalls were big? That is, 1 static NAT for every IP address of a device in the "inside" network of the 2 firewalls?

Yes, you need a static NAT for every inside host you want to access from the outside interface of the firewall

- Your solution seems very good. However, I am required to explicitly address the "inside" IP addresses rather than a NAT-ed 192.168... address. Is there a way for the PC in the "outside" interface to explicitly use the 172.21.32.22 address in its pings rather than the NAT-ed address of 192.168.1.22? 

If your requirement is to use the IP address of the inside hosts, then you will only need an ACL on the firewalls permitting icmp traffic from 192.168.1.45 to 172.32.2.0/24 and from 192.168.1.45 to 172.33.2.0/24. You will also need static routes on the PC to direct traffic for 172.32.2.0/24 to 192.168.1.25 and for 172.33.2.0/24 to 192.168.1.35.

Regards, LG
*** Please Rate All Helpful Responses ***

Go to solution
juandcc2014
Level 1
Level 1
In response to liviu.gheorghe

‎03-01-2025 08:05 AM

Got it. I have the ACL's setup so that ICMP traffic is allowed from 192.168.1.45 to 172.32.2.0/24, as well as to 172.33.2.0/24. As for the static routes on the PC in order to explicitly address "inside" IP's, is there another way besides static routes on the "outside" PC? That was a potential solution I had in mind but was wondered if there were any others.

0 Helpful

Go to solution
liviu.gheorghe
VIP
VIP
In response to juandcc2014

‎03-01-2025 08:18 AM

In this case, static routing on the PC seems the practical choice.

Of course, there could be other more exotic solutions like running a dynamic routing protocol between the PC and the firewalls, but that is not practical at all.

Regards, LG
*** Please Rate All Helpful Responses ***
Customers Also Viewed These Support Documents