Solved: Static Route for Bridge Group on FP 1120 - Page 2

Derek1993 · ‎06-22-2023

Hello Cisco's Community.

I have next configuration. I am using FP 1120 as router and firewall for my Netwrok. I configured Bridge Group for my interfaces on FP 1120 via Firepower Device Manager. All my clients receive IPs vid DHPC

192.168.1.0/24

I want to add Static route for network

10.10.10.0/24 via GateWay IP 192.168.1.19

for this I used Routing--> Static Route-->Interface (Use BridgeGroup)--> Networks

(10.10.10.0/24)-->Gateway (192.168.1.19)-->Metric (100)

--> Save --> Deploy. BUT after this operation my Windows Client eg.

192.168.1.5

doesn't receive route from Cisco FP 1120, I checked it use route print, but there is no any route that I have configured on Cisco FP 1120, and , my client

192.168.1.5 cann't connect to 10.10.10.0/24 network via 192.168.1.19 as Gateway

But when I added route manualy

(route add 10.10.10.0/24 Mask 255.255.255.0 GW 192.168.1.19)

all is fine and my client

192.168.1.5

can connect to

network 10.10.10.0/24

Where is the problem ?? Is it in Bridge Group and I must to configure all of this without Bridge Group ??
Thx!

Flavio Miranda · ‎06-24-2023

Hi

Well, I have found some informations that point toward this direction. It seems for Routed mode, you must use the BVI as gateway while in transparent mode, you can not specify the BVI as gateway.

Which mean, in your scenario,

192.168.1.1

can not be the gateway to the Windows Box. It must be something else and in your case, you need to use the PfSense as your gateway.

I dont know why you decided by using the firewall in transparent mode but you need to understand by doing that, the firewall will not be your gateway for the traffic comming from the inside network.

Guidelines for Static Routing

Bridge Groups

In routed mode, you must specify the BVI as the gateway; you cannot specify the member interface.

"In transparent mode, do not specify the BVI IP address as the

 default gateway

for connected devices; devices need to specify the router on the other side of the Firepower device as the

default gateway

But, if you ever need to add a static route on the firewall in transparent mode, you need to use a bridge group member as the gateway and not the BVI.

Instead of:

S 10.10.10.0 255.255.255.0 [1/0] via 192.168.1.19, inside_bridge_group

If should be:

S 10.10.10.0 255.255.255.0 [1/0] via 192.168.1.19, inside_1_x

Guidelines for Static and Default Routes

Firewall Mode and Bridge Groups

In transparent mode, static routes must use the bridge group member interface as the gateway; you cannot specify the BVI.

Derek1993 · ‎06-24-2023

Hey there
Ok, BUT My FP 1120 configured in Routed Mode not Transparent !

Flavio Miranda · ‎06-24-2023

If you setup the

192.168.1.1 as gateway

for Windows, can you use the internet or access resources ou the outside interface?

Derek1993 · ‎06-24-2023

Yes, I cant use Internet via outside interface, and Yes I can access resources of the outside interface. and ONE MORE all clients in

192.168.1.0/24 use FP 1120 192.168.1.1 as Gateway

they receive this options via DHCP which configured on the

FP 1120 (192.168.1.1)

Flavio Miranda · ‎06-24-2023

Got it.

It seems the firewall is not routing back the packet on the same interface it received.

I did a lab on the PacketTracert, which is very limited in many functionality, but the result is the same. If I use the firewall as gateway for the machine and try to send the packet back to

network 192.168.1.0

it does not work.

Might be some trick or it can not be possible.

Flavio Miranda · ‎06-24-2023

There is a similar thread here in the forum with a proposal solution

https://community.cisco.com/t5/network-security/allowing-entry-and-exit-of-a-packet-through-the-same-interface/td-p/1899044

You may take a look

Derek1993 · ‎06-24-2023

Ok, check. Thx, but it doesn't work for me.

MHM Cisco World · ‎06-22-2023

FPR is assign IP to client as

dhcp

server?

Derek1993 · ‎06-22-2023

Yes, FPR is assign IP to client as

DHCP

Server

MHM Cisco World · ‎06-23-2023

I not sure I understand your issue here' but I think you missing config BVI (bridge group interface)

This BVI is ROUTING traffic from bridge group to other router port in FPR' and you can use it as

next-hop

for any static route toward FPR

Derek1993 · ‎06-23-2023

Hey. Yes sorry for My mistake:
The Box

192.168.1.19

is pfSense firewall for another network. And it has two interfaces:

WAN - 192.168.1.19 received ip via DHCP from FP 1120 192.168.1.1 - FP 1120 is  Gateway for all network 192.168.1.0/24

and I have already configured pfSense (add NAT and Firewall rules) and its work because I can ping machine behind pfSense LAN

network 10.10.10.0/24

so I have only ONE problem, why my static route on FP 1120 doesn't route traffic from

192.168.1.0/24

when boxes asking

10.10.10.0/24 network

? Are U understandt me ?

MHM Cisco World · ‎06-23-2023

can I see

show ip interface 
show route

of FPR

Derek1993 · ‎06-23-2023

show route
Gateway of last resort is 10.9.61.1 to network 0.0.0.0
S*       0.0.0.0 0.0.0.0 [1/0] via 10.9.61.1, outside
C        10.9.61.0 255.255.255.0 is directly connected, outside
L        10.9.61.70 255.255.255.255 is directly connected, outside
S        10.10.10.0 255.255.255.0 [1/0] via 192.168.1.19, inside_bridge_group
C        192.168.1.0 255.255.255.0 is directly connected, inside_bridge_group
L        192.168.1.1 255.255.255.255 
           is directly connected, inside_bridge_group
===========================================================
show  ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
Ethernet1/1              outside                10.9.61.77      255.255.255.0   DHCP  
Ethernet1/2              inside_1_2             192.168.1.1    255.255.255.0   manual
Ethernet1/3              inside_1_3             192.168.1.1    255.255.255.0   manual
Ethernet1/4              inside_1_4             192.168.1.1    255.255.255.0   manual
Ethernet1/5              inside_1_5             192.168.1.1    255.255.255.0   manual
BVI1                     inside_bridge_group    192.168.1.1    255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
Ethernet1/1              outside                10.9.60.70      255.255.255.0   DHCP  
Ethernet1/2              inside_1_2             192.168.1.1    255.255.255.0   manual
Ethernet1/3              inside_1_3             192.168.1.1    255.255.255.0   manual
Ethernet1/4              inside_1_4             192.168.1.1    255.255.255.0   manual
Ethernet1/5              inside_1_5             192.168.1.1    255.255.255.0   manual
BVI1                     inside_bridge_group    192.168.1.1    255.255.255.0   manual
===========================================================
show interface
Interface Ethernet1/1 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	MAC address 4006.d585.ffa4, MTU 1500
	IP address 10.9.61.70, subnet mask 255.255.255.0
  Traffic Statistics for "outside":
	2000330 packets input, 1869946741 bytes
	1196265 packets output, 250871661 bytes
	69511 packets dropped
      1 minute input rate 128 pkts/sec,  100091 bytes/sec
      1 minute output rate 91 pkts/sec,  14058 bytes/sec
      1 minute drop rate, 1 pkts/sec
      5 minute input rate 315 pkts/sec,  385572 bytes/sec
      5 minute output rate 180 pkts/sec,  55798 bytes/sec
      5 minute drop rate, 1 pkts/sec
Interface Ethernet1/2 "inside_1_2", is up, line protocol is up
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	MAC address 4006.d585.ffa5, MTU 1500
	IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside_1_2":
	1096507 packets input, 196343029 bytes
	1542111 packets output, 1392885898 bytes
	46053 packets dropped
      1 minute input rate 40 pkts/sec,  7019 bytes/sec
      1 minute output rate 85 pkts/sec,  88498 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 177 pkts/sec,  50267 bytes/sec
      5 minute output rate 298 pkts/sec,  366006 bytes/sec
      5 minute drop rate, 1 pkts/sec
Interface Ethernet1/3 "inside_1_3", is up, line protocol is up
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	MAC address 4006.d585.ffa6, MTU 1500
	IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside_1_3":
	366301 packets input, 91774084 bytes
	624295 packets output, 528602471 bytes
	12822 packets dropped
      1 minute input rate 67 pkts/sec,  9467 bytes/sec
      1 minute output rate 97 pkts/sec,  76422 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 19 pkts/sec,  13982 bytes/sec
      5 minute output rate 31 pkts/sec,  27899 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet1/4 "inside_1_4", is down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	MAC address 4006.d585.ffa7, MTU 1500
	IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside_1_4":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	31170 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet1/5 "inside_1_5", is down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	MAC address 4006.d585.ffa8, MTU 1500
	IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside_1_5":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	31170 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet1/6 "", is admin down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	Available but not configured via nameif
Interface Ethernet1/7 "", is admin down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	Available but not configured via nameif
Interface Ethernet1/8 "", is admin down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	Available but not configured via nameif
Interface Ethernet1/9 "", is admin down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	Available but not configured via nameif
Interface Ethernet1/10 "", is admin down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	Available but not configured via nameif
Interface Ethernet1/11 "", is admin down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	Available but not configured via nameif
Interface Ethernet1/12 "", is admin down, line protocol is down
  Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
	Available but not configured via nameif
Interface Management1/1 "diagnostic", is up, line protocol is up
  Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec
	Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
	Input flow control is unsupported, output flow control is unsupported
	MAC address 4006.d585.ff81, MTU 1500
	IP address unassigned
	38992 packets input, 13335264 bytes, 0 no buffer
	Received 0 broadcasts, 0 runts, 0 giants
	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
	0 pause input, 0 resume input
	0 L2 decode drops, 0 demux drops
	109 packets output, 64310 bytes, 0 underruns
	0 pause output, 0 resume output
	0 output errors, 0 collisions, 12 interface resets
	0 late collisions, 0 deferred
	0 input reset drops, 0 output reset drops
	input queue (blocks free curr/low): hardware (0/0)
	output queue (blocks free curr/low): hardware (0/0)
  Traffic Statistics for "diagnostic":
	0 packets input, 0 bytes
	0 packets output, 0 bytes
	0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
	Management-only interface. Blocked 0 through-the-device packets

Interface BVI1 "inside_bridge_group", is up, line protocol is up
	MAC address N/A, MTU 1500
	IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for BVI1:
	0 packets input, 0 bytes
	117733 packets output, 3464219 bytes
	0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 1 pkts/sec,  55 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 1 pkts/sec,  60 bytes/sec
      5 minute drop rate, 0 pkts/sec

Derek1993 · ‎06-23-2023

Hey. Added files check plz

MHM Cisco World · ‎06-23-2023

Sorry it not clear but

Pfsense and FPR and clinet share same subnet

192.168.1.0/24

The client use

gw push via dhcp'

Now subnet

10.10.10.0/24 from fpr can reach via default route'

Are this correct until here ?

The only thing make issue here is client dont have correct gw (it must be fpr IP) or the subnet is incorrect between dhcp network and fpr interface IP.