Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
0
Helpful
3
Replies

Firepower Networking issue between interface port

eeebbunee
Level 5
Level 5

‎11-18-2021 11:46 AM

Hello Engineers,

 

Today I found there is critical security issue on our Firepower. (2110 series)

On our Firepower, there are 3 interface ports, Outside/Inside/Guest.

 

Those IP ranges has different, and Inside/Guest has private IP ranges.

Guest interface is for wireless Guest users.

Normally Guest users are not able to access Inside IP blocks, can't communicate with each other.

 

My case, Guest IP range can communicate with Inside!!!!!!!!!

 

 

<Firepower --- Core switch --- Wireless Controller>

 

-There is no route for guest interface and Guest zone in Firepower.

-There is no route for Guest IP range in Core switch.

 

I don't know where should I check... Please help, it is urgent to me..

How can different interface port can communicate without routing??

 

I really appreciate your comments.

 

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎11-18-2021 11:56 AM

Each port runs different VLANs in the switch where they are connected, you should not see this issue?

 

how is your switch configured?

 

Try to access from Guest user to Inside, check the Logs in firepower is this reaching firepower or switch doing any routing here?

 

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

eeebbunee
Level 5
Level 5
In response to balaji.bandi

‎11-19-2021 10:01 AM - edited ‎11-22-2021 09:23 AM

Hello Balaji,

 

Yes, Guest and inside port from FTD are connected to Core switch with different vlan.

WLC1/1-1/4 ports (Trunk)==== Core switch po1 LAG

 * WLC guest-interface VLAN300, ip address 192.168.0.2 / 255.255.255.0 / 192.168.0.1

Core switch inside ==== FTD Ethernet1/2 

Core switch Guest(VLAN300, no int vlan 300 ip address) ==== FTD Ethernet 1/3 (192.168.0.1)

 

FTD DHCP Server enabled for Guest Network (192.168.0.3-192.168.0.200)

 

When I connect Guest wireless, I get IP from FTD and connect internet.

 

We have other site office, same configurations (almost similar) (FTD,Core switch, WLC). There, without no access-list (deny) rule in Core switch, guest network is not able to communicate with inside networks.

 

Do you think that's because of Core switch or WLC? (not FTD)?

0 Helpful

kapydan88
Level 7
Level 7

‎11-19-2021 06:59 AM

Hello.

Can you share screen from your Firepower 2110? How it is managed - via FMC or FDM?

Are you sure, that cause of this problem inside Firepower? Maybe you need to implement ACL inside your core-switch or any L3 device.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card