Solved: Trunking an ip addressed inside interface on Firepower 2130

jreynolds4 · ‎04-19-2024

My network endpoints use the IP addressed vlans on my core cisco layer three core switch as their gateway addresses. i.e.- vlan 11 endpoint address 192.168.11.3/24 with gateway 192.168.11.1/24 (vlan ip on core) and vlan 12 endpoint address 192.168.12.3/24 with gateway 192.168.12.1/24 (vlan ip on core). These vlans are then interconnected. I am attempting to create a path to the internet using the gateway of last resort out of the switch 0.0.0.0 0.0.0.0 10.2.2.1. 10.2.2.1, security zone "InsideTrunk," is the address of a physical inside interface on my Firepower 2130. I have created Access control policies to allow 192.168.11.0/24 and 192.168.12.0/24 from "InsideTrunk" to Outside on the Firepower. Also, the proper auto NATs for both subnets have been created. The endpoints are unable to reach the internet. All I am trying to do is create a transport network. Does anyone have an idea of what I am missing? I have attached the trunk config from the core switch.

Aref Alsouqi · ‎04-25-2024

Things can be done differently in multiple ways. Configuring routed interfaces on the switches is not common, in fact, some of the switches might not support it neither. I think what I suggested is just a simple common solution that meets @jreynolds4 requirements.

View solution in original post

balaji.bandi · ‎04-19-2024

You have mentioned the default route point to 0.0.0.0 0.0.0.0 10.2.2.1

so is the 10.2.2.1 is inside interface FTD ?

what is the core side IP address for the same network ?

Does FTD can reach Core network trasit IP or VLAN ?

how are you managing FTD FMC or FDM

look at the below guide for basic help :

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html

FDM i use virtual should help you understanding to reach internet :

https://www.balajibandi.com/?p=1855

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jreynolds4 · ‎04-23-2024

Sorry for the delay. A whole lot going on right now.

so is the 10.2.2.1 is inside interface FTD ? - YES

what is the core side IP address for the same network ? YES below is from firepower to SW

> ping 10.2.2.2
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

I am using FMC

Georg Pauwen · ‎04-19-2024

Hello,

post the running config of the core switch. Can the Firepower ping the core switch (and vice versa, can the core switch ping 10.2.2.1 ?

jreynolds4 · ‎04-23-2024

Yes, the switch and firepower can ping each other.

Elmo#show run
Building configuration...

Current configuration : 6719 bytes
!
! Last configuration change at 10:04:27 PDT Thu Apr 18 2024
! NVRAM config last updated at 09:28:33 PDT Wed Apr 17 2024
!
version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
no platform punt-keepalive disable-kernel-core
!
hostname Elmo
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$iaR1$223Tvy/XabtO89QCjx3hO/
!
no aaa new-model
clock timezone PDT -8 0
clock summer-time PDT recurring
switch 1 provision ws-c3650-24ts
!
!
!
!
call-home
contact-email-addr jreynolds@willapa.net
no http secure server-identity-check
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
ip routing
!
ip name-server 172.27.4.11 172.27.5.245
ip domain name whh.local
!
!
!
no login on-success log
!
!
!
!
!
!
!
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-2670722759
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2670722759
revocation-check none
rsakeypair TP-self-signed-2670722759
!
!
crypto pki certificate chain TP-self-signed-2670722759
!
!
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
redundancy
mode sso
!
!
transceiver type all
monitoring
!
vlan 4
name MEwireless
!
vlan 10
name Isonas
!
vlan 11
name Meraki
!
vlan 12
name TrunkTest
!
vlan 13
name Transport
!
vlan 92
name EpsilonNine
!
vlan 172
name WHHPrimary
!
vlan 210
name rad-PACS
!
vlan 555
name MITELmngt
!
vlan 666
name GuestInternet
!
vlan 803
name SpaceLabs
!
vlan 804
name Telemetry
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 172
switchport mode dynamic desirable
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 210
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 210
!
interface GigabitEthernet1/0/5
switchport access vlan 210
!
interface GigabitEthernet1/0/6
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 210
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 210
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 210
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 172
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 172
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 172
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 172
switchport trunk native vlan 13
switchport trunk allowed vlan 11-13
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 172
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 210
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan4
no ip address
!
interface Vlan11
ip address 192.168.11.1 255.255.255.0
!
interface Vlan12
ip address 192.168.12.1 255.255.255.0
!
interface Vlan13
ip address 10.2.2.2 255.255.255.0
!
interface Vlan84
ip address 192.168.1.155 255.255.255.0
!
interface Vlan111
ip address 192.168.111.1 255.255.255.0
!
interface Vlan172
ip address 172.27.8.63 255.255.0.0
!
interface Vlan444
ip address 10.11.12.9 255.255.255.0
!
ip default-gateway 172.27.8.40
ip forward-protocol nd
ip http server
ip http secure-server
ip ftp username BACKUPadmin
ip ftp password B@ckUpDud3
ip route 0.0.0.0 0.0.0.0 192.168.196.155
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
password SwitchL0rd
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password SwitchL0rd
login
line vty 5 15
password SwitchL0rd
login
!
ntp server 172.27.4.11
!
!
!
!
!
!

Georg Pauwen · ‎04-23-2024

Hello,

the 'ip default-gateway' command is unnecessary, since it is a layer 3 switch. Remove that line. Also, you have two default routes, what is the purpose of those ? Which one do you need (I assume the one pointing to the FTD) ? In short, remove the two lines below:

--> no ip default-gateway 172.27.8.40
ip forward-protocol nd
ip http server
ip http secure-server
ip ftp username BACKUPadmin
ip ftp password B@ckUpDud3
--> no ip route 0.0.0.0 0.0.0.0 192.168.196.155
ip route 0.0.0.0 0.0.0.0 10.2.2.1

jreynolds4 · ‎04-23-2024

Thank you. I got in such a rush I did not notice the second route. I will fix this and test.

MHM Cisco World · ‎04-20-2024

how you config link between SW and FTD ?

MHM

jreynolds4 · ‎04-23-2024

via 802.1q trunk.

jreynolds4 · ‎04-23-2024

The inside "transit" port on the Firepower cannot be pinged from endpoints from either vlan. This tells me that I have messed up something on the trunk config of the switch. The trunk config is below

Elmo#show int gi1/0/21 trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/21 on 802.1q trunking 13

Port Vlans allowed on trunk
Gi1/0/21 11-13

Port Vlans allowed and active in management domain
Gi1/0/21 11-13

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/21 11-13

MHM Cisco World · ‎04-23-2024

Host use SVI or interface of FW as GW?

MHM

jreynolds4 · ‎04-23-2024

The hosts use the switch virtual interface as gateway. This way they can interconnect with each other and all other subnets using SVI as gateway. The purpose of the single transport connection to the firewall is to carry internet traffic over trunk to internet via a single port on the firewall.

MHM Cisco World · ‎04-23-2024

That why you can not ping from FW to host'

FW send via vlan x and receive reply from vlan y this asymmetric is drop by FW.

You need to ping in fw using same vlan.

MHM

jreynolds4 · ‎04-23-2024

Thank you. Would you recommend moving all of my inter-vlan routing to the firewall rather than the switch? I am having a very difficult time configuring all devices in such a way that vlans can reach each other AND reach the internet. I can create a ports for each of the different vlans on the firewall and reach the internet, but not the other vlans. Or, I can use the SVIs as gateway on endpoints and reach other but not the internet.

jreynolds4 · ‎04-23-2024

One additional note. I have more vlans than I have ports on my firewall. For this reason, I need to find a way to accomplish the inter-vlan and internet connection via the switch to a transport network. TAC was unable to help me. I am hoping that someone in the community can.