Solved: Static Route for Bridge Group on FP 1120

Derek1993 · ‎06-22-2023

Hello Cisco's Community.

I have next configuration. I am using FP 1120 as router and firewall for my Netwrok. I configured Bridge Group for my interfaces on FP 1120 via Firepower Device Manager. All my clients receive IPs vid DHPC

192.168.1.0/24

I want to add Static route for network

10.10.10.0/24 via GateWay IP 192.168.1.19

for this I used Routing--> Static Route-->Interface (Use BridgeGroup)--> Networks

(10.10.10.0/24)-->Gateway (192.168.1.19)-->Metric (100)

--> Save --> Deploy. BUT after this operation my Windows Client eg.

192.168.1.5

doesn't receive route from Cisco FP 1120, I checked it use route print, but there is no any route that I have configured on Cisco FP 1120, and , my client

192.168.1.5 cann't connect to 10.10.10.0/24 network via 192.168.1.19 as Gateway

But when I added route manualy

(route add 10.10.10.0/24 Mask 255.255.255.0 GW 192.168.1.19)

all is fine and my client

192.168.1.5

can connect to

network 10.10.10.0/24

Where is the problem ?? Is it in Bridge Group and I must to configure all of this without Bridge Group ??
Thx!

Derek1993 · ‎06-30-2023

Thx all. The solution - change from Virtual Bridge Group Interface, to deafult interfaces and all static routes work very well !
Thx to ALL

View solution in original post

Flavio Miranda · ‎06-22-2023

Hi @Derek1993

BUT after this operation my Windows Client eg.

192.168.1.5

doesn't receive route from Cisco FP 1120, I checked it use route print, but there is no any route that I have configured on Cisco FP 1120, and , my client

192.168.1.5

cann't connect to

10.10.10.0/24 network via 192.168.1.19 as Gateway

The Windows machine will not receive the route, this is the expected behavior. What you need to do, if you dont want add the route on the windows machine directly , is add the Firewall as the machine gayeways. Go to the windows machine

192.168.1.5

and add the firewall as gateway. The firewall must have IP address on the network

192.168.1.X

right?

Then, as you added the static route on the firewall already, it will work. When you try to reach the IP address

10.10.10.X

from windows machine, the windows machine will send the packet to Firewall and based on the static route you added, the firewall you send the packet to

10.10.10.x

But, if you need to use the

192.168.1.19 as gateway

then, you need to put the

192.168.1.19 as gateway

on the windows machine.

Derek1993 · ‎06-22-2023

"Go to the windows machine

192.168.1.5

and add the firewall as gateway. " But my clients receive IPs from FP 1120 via DHCP and its has already as

default gateway

for all the clients in network

192.168.1.0/24

???

Flavio Miranda · ‎06-23-2023

@Derek1993

Alright. Then, the firewall must be the gateway already.

You should be able to ping from Windows to

10.10.10.x

If you are not, means the firewall can not reach

10.10.10.x

or the device on the network

10.10.10.x

dont know how to reply and need route to

192.168.1.x

Derek1993 · ‎06-23-2023

Yes, BUT Why I can ping (I added static route manual to Windows Box) from My Windows Box

192.168.1.5

(Because I have already configured routes from

Network 10.10.10.0/24 to 192.168.1.0/24

) But via

FP 1120 as Gateway 192.168.1.1

I cann't ping from Windows Box

192.168.1.5 to 10.10.10.0/24

??

Flavio Miranda · ‎06-23-2023

Do you have more than one interface on the Windows box?

Because the behavior your described does not make sense, unless the firewall have no

route to 10.10.10.x

If the firewall have

route to 10.10.10.x

it is the gateway for Windows box and the device

10.10.10.x

knows how to reply to firewall, the ping must work.

Which interface interface does the firewall use to sens traffic to

10.10.10.X

?

They direct connected or do you have others device in between?

Derek1993 · ‎06-23-2023

Hey. Yes sorry for My mistake:
The Box

192.168.1.19

is pfSense firewall for another network. And it has two interfaces:

WAN - 192.168.1.19

received ip via DHCP from

FP 1120 192.168.1.1 - FP 1120 is  Gateway for all network 192.168.1.0/24

and I have already configured pfSense (add NAT and Firewall rules) and its work because I can ping machine behind pfSense LAN

network 10.10.10.0/24

so I have only ONE problem, why my static route on FP 1120 doesn't route traffic from

192.168.1.0/24

when boxes asking

10.10.10.0/24 network

? Are U understandt me ?

Flavio Miranda · ‎06-23-2023

So...you are saying that you topology looks like this one?

The PC and the PfSense is on the Inside interface of the ASA getting IP address from DHCP.

When you add static route on Windows Box pointing to PfSense, you can reach the

network 10.10.10.x

Whe you rely on ASA to send the traffic to PfSense it fails?

Derek1993 · ‎06-23-2023

Yes, When I rely on Firepower 1120 to send traffic to PfSense it fails !

Flavio Miranda · ‎06-23-2023

I am not sure this is going to work.

Your route would look link

route 10.10.10.0 255.255.255.0 192.168.1.19

( If you were using CLI)

But, the

192.168.1.19

is a DHCP ip address and the traffic should return to the same interface it enters.

Why dont use a different interface on the Firepower for PfSense?

Derek1993 · ‎06-23-2023

Hey thx for answer.

I cann't use another interface for pfSense because I have already configured interfaces in FP 1120 as Bridge Group and if I decide to use another interface for pfSense I must to broken all my configuration on the main network

192.168.1.0/24

and change all netwrok topology.
I am also added my route configuration here:

Gateway of last resort is 10.9.61.1 to network 0.0.0.0
S*       0.0.0.0 0.0.0.0 [1/0] via 10.9.61.1, outside
C        10.9.61.0 255.255.255.0 is directly connected, outside
L        10.9.61.70 255.255.255.255 is directly connected, outside
S        10.10.10.0 255.255.255.0 [1/0] via 192.168.1.19, inside_bridge_group
C        192.168.1.0 255.255.255.0 is directly connected, inside_bridge_group
L        192.168.1.1 255.255.255.255 
           is directly connected, inside_bridge_group

Flavio Miranda · ‎06-23-2023

Got it.

Well, I will take a look on the documentation but sounds to me the firewall is not routing toward the inside_bridge_group, although the route was installed.

Derek1993 · ‎06-23-2023

Hey
Thx
I am wainting for your answer, because I must to decide what I must to do next
Thx for your support!

Flavio Miranda · ‎06-23-2023

I thnik I have found the information. they way you did, you use a member interface.

"Static routes—You can configure static routes for the BVI; you cannot configure static routes for the member interfaces. "

Derek1993 · ‎06-24-2023

Sorry for the long responce. Is it mean that I cann't configure static route for bridge group and I must to use static route with simple interface not in Bridge Group ?