Hi,

Did you try to establish any other traffic besides icmp, like telnet or ssh? icmp packets sometimes could be tricky to test connectivity through a firewall even with the features you have already tried.

By default ICMP is not monitored by the firewall, so even though icmp packets can traverse from inside to outside, but return traffic will be dropped at the outside interface. Without changing the default security levels, try allowing icmp at the outside interface, or you can simply enable telnet or ssh on the router and try accessing it from an inside host and for TCP to work, you don't need to create any ACLs since this is monitored and allowed by the firewall from a higher to lower security interface.

You can try debugging the router to make sure if the traffic sourced from inside is reaching it.

The other firewall utility I would suggest to use is packet tracer, below is syntax:

packet-tracer input inside  tcp x.x.x.x 23456 x.x.x.x 22  (You should change inside with whatever name you are using for your source interface)

This would tell you if the traffic is allowed or not, and if not where it is getting blocked.

Hope this helps.

Hi,

For 2 VLANS to communicate with each other theres need to be a Router!

Does the FTD works in Routed mode or Transparent?

If its in routed mode you need to bridge these 2 Vlans.

Routed

Each Layer 3 routed interface (or subinterface) requires an IP address on a unique subnet. You would typically attach these interfaces to switches, a port on another router, or to an ISP/WAN gateway.

You can assign a static address, or you can obtain one from a DHCP server. However, if the DHCP server provides an address on the same subnet as a statically-defined interface on the device, the system will disable the DHCP interface. If an interface that uses DHCP to get an address stops passing traffic, check whether the address overlaps the subnet for another interface on the device.

Bridged

A bridge group is a group of interfaces that the Firepower Threat Defense device bridges instead of routes. Bridged interfaces belong to a bridge group, and all interfaces are on the same network. The bridge group is represented by a Bridge Virtual Interface (BVI) that has an IP address on the bridge network.

You can route between routed interfaces and BVIs, if you name the BVI. In this case, the BVI acts as the gateway between member interfaces and routed interfaces. If you do not name the BVI, traffic on the bridge group member interfaces cannot leave the bridge group. Normally, you would name the interface so that you can route member interfaces to the Internet.

One use for a bridge group in routed mode is to use extra interfaces on the Firepower Threat Defense device instead of an external switch. You can attach endpoints directly to bridge group member interfaces. You can also attach switches to add more endpoints to the same network as the BVI.

You can configure both IPv6 and IPv4 addresses on a routed interface or BVI. Make sure you configure a default route for both IPv4 and IPv6. You do not configure addresses on bridge group member interfaces.