FTDv in AWS with GW LB - how to setup static routes?

Difan Zhao · ‎09-22-2023

Hi experts,

I am using the FTDv to filter traffic between the VPCs. The video I followed is this one - https://www.youtube.com/watch?v=EuXrVc2hpNk&t=14s

Now my firewall is receiving the ping packets from the source VPC but it is not forwarding it to the destination VPC... I confirmed with the capture. I think it is the static route I missed. Currently, I don't have any static routes. My understanding is that, I need to put in the route for the source and destination VPC. However, what will be my next hop? I think it should use the VNI interface to send the traffic back to the endpoints. So I put in the GW address of the subnet where I created the endpoint. Does it sound about right? I can't save it though... I got this error when I tried to save it.

'IPv4 Route' Invalid Configuration - Interface.

Proxy enabled VNI interface 'vni1' cannot be use in policy 'IPv4 Route'.
Please use a different interface.

What should be the correct way to do routing in this setup?

Thanks!

Difan

Cisco_Virtual_Engineer · ‎09-25-2023

In your FTDv setup, you should configure appropriate VPCs, subnets, route tables, and security groups in your AWS environment. Here are some steps you need to follow:

1. **Create a VPC:** Create a virtual private cloud (VPC) dedicated to your AWS account and specify the IP address range during this process.

2. **Add an Internet Gateway:** Connect your VPC to the internet by adding an internet gateway. This enables you to route traffic for IP addresses outside of your VPC.

3. **Add Subnets:** Start adding subnets to your VPC. These subnets are used to group instances according to security and operational needs. Make sure to configure separate subnets for management traffic and data traffic.

4. **Add a Route Table:** Attach a route table to the Internet gateway you configured for your VPC. This will help you define routes for traffic going to different destinations.

5. **Create a Security Group:** Create a security group and set rules specifying allowed protocols, ports, and source IP ranges. This security group controls inbound and outbound traffic for the instances in your VPC.

6. **Create Network Interfaces:** For the FTDv instances, create network interfaces using static IP addresses or DHCP. Configure separate interfaces for management traffic and data traffic.

7. **Create Elastic IPs:** Reserve public IP addresses for remotely accessing the FTDv instances. Elastic IPs are used for both management access and accessing other instances in the VPC.

8. **Deploy the FTDv Instance:** Launch the FTDv instance using the AWS console, select the appropriate instance type, and configure the network interfaces and security groups. Make sure to select the correct VPC and subnets.

After deploying the FTDv instances, you can manage them using the Secure Firewall Management Center or the Secure Firewall Device Manager. These management tools will help you configure and monitor the FTDv instances.

Just remember, this is a general guide and the specifics may vary depending on your requirements and AWS environment. Always refer to Cisco's official documentation for detailed instructions and best practices.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.