Configuring Firepower Threat Defense interfaces in Routed mode
Introduction
This document describes the configuration, verification, and background operation of an Inline Pair Interface on a Firepower Threat Defense (FTD) appliance.
Prerequisites
Requirements
There are not specific requirements for this document.
Components Used
- ASA5512-X - FTD code 6.1.0.x
- Firepower Management Center (FMC) - code 6.1.0.x
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Related Products
This document can also be used with these hardware and software versions:
- ASA5506-X, ASA5506W-X, ASA5506H-X, ASA5508-X, ASA5516-X
- ASA5512-X, ASA5515-X, ASA5525-X, ASA5545-X, ASA5555-X
- FPR2100, FPR4100, FPR9300
- VMware (ESXi), Amazon Web Services (AWS), Kernel-based Virtual Machine (KVM)
- FTD software code 6.2.x and later
Background Information
FTD provides two Deployment modes and six Interface modes:
2 Deployment Modes:
- Routed
- Transparent
6 Interface Modes:
- Routed
- Switched (BVI)
- Passive
- Passive (ERSPAN)
- Inline pair
- Inline pair with tap
Note: You can mix interface modes on a single FTD appliance.
High level overview of the various FTD deployment and interface modes:
| FTD interface mode | FTD Deployment mode | Description | Traffic can be dropped |
|---|---|---|---|
| Routed | Routed | Full LINA engine and Snort-engine checks | Yes |
| Switched | Transparent | Full LINA engine and Snort-engine checks | Yes |
| Inline Pair | Routed or Transparent | Partial LINA engine and full Snort-engine checks | Yes |
| Inline Pair with Tap | Routed or Transparent | Partial LINA engine and full Snort-engine checks | No |
| Passive | Routed or Transparent | Partial LINA engine and full Snort-engine checks | No |
| Passive (ERSPAN) | Routed | Partial LINA engine and full Snort-engine checks | No |
Configure
Network Diagram
A diagram shows two routers connected to a Cisco NGFW appliance. Router-1 has an interface G0/0.201 with IP address 192.168.201.x. Router-2 has an interface G0/1 with IP address 192.168.202.x. The NGFW is positioned between them.
Configure a Routed Interface and a Subinterface
Configure subinterface G0/0.201 and interface G0/1 as per these requirements:
| Interface | G0/0.201 | G0/1 |
|---|---|---|
| Name | INSIDE | OUTSIDE |
| Security Zone | INSIDE_ZONE | OUTSIDE_ZONE |
| Description | INTERNAL | EXTERNAL |
| Sub interface ID | 201 | - |
| VLAN ID | 201 | - |
| IPv4 | 192.168.201.1/24 | 192.168.202.1/24 |
| Duplex/Speed | Auto | Auto |
Solution
Step 1. Configure the Logical Interface
Navigate to Devices > Device Management, select the appropriate device and select the Edit icon.
A screenshot shows the Cisco FTD device management interface. The user needs to select 'Add Interfaces' and then 'Sub Interface'.
Configure the subinterface settings as per requirements:
Add Sub Interface
- Name: INSIDE
- Security Zone: INSIDE_ZONE
- Description: INTERNAL
Under the General tab:
- MTU: 1500
- Interface: GigabitEthernet0/0
- Sub-Interface ID: 201
- VLAN ID: 201
Under the IPv4 tab:
- IP Type: Use Static IP
- IP Address: 192.168.201.1/24
Under the physical interface (GigabitEthernet0/0) specify the Duplex and Speed settings:
- Duplex: auto
- Speed: auto
Enable the physical interface (G0/0 in this case):
Edit Physical Interface
- Mode: None
- Name: INSIDE
- Security Zone: INSIDE_ZONE
- Description: INTERNAL
- Enabled: Checked
Under the Hardware Configuration tab for the physical interface:
- MTU: 1500
- Interface ID: GigabitEthernet0/0
Step 2. Configure the Physical Interface
Edit the GigabitEthernet0/1 physical interface as per requirements:
Edit Physical Interface
- Mode: None
- Name: OUTSIDE
- Security Zone: OUTSIDE_ZONE
- Description: EXTERNAL
- Enabled: Checked
Under the IPv4 tab:
- IP Type: Use Static IP
- IP Address: 192.168.202.1/24
Key points for Routed interfaces:
- The Mode is: None
- The Name is equivalent to the ASA interface name
- On FTD all interfaces have security level = 0
- same-security-traffic is not applicable on FTD. Traffic between FTD interfaces (inter) and (intra) is allowed by default
Select Save and Deploy.
Verification
From the FMC GUI:
A table shows interfaces configured in the FMC. GigabitEthernet0/0 is physical, OUTSIDE, OUTSIDE_ZONE, 192.168.202.1/24(Static). GigabitEthernet0/0.201 is a subinterface, INSIDE, INSIDE_ZONE, 192.168.201.1/24(Static).
From the FTD CLI:
show interface ip brief output shows interface details including IP addresses, status, and protocol.
show ip output shows system IP addresses and current IP addresses for interfaces.
FMC GUI and FTD CLI correlation:
A screenshot shows the 'Edit Sub Interface' window with Name: INSIDE, Security Zone: INSIDE_ZONE, Description: INTERNAL. The IPv4 tab shows IP Type: Use Static IP, IP Address: 192.168.201.1/24.
A CLI command output show running-config interface g0/0.201 shows the configuration for the subinterface, including description, VLAN, nameif, security level, and IP address.
A CLI command output show interface g0/0.201 shows the status of the interface, including its name, description, MAC address, MTU, and IP address.
A CLI command output show interface g0/1 shows the status of the GigabitEthernet0/1 interface, including its name, description, MAC address, MTU, IP address, and duplex/speed settings.
FTD Routed Interface Operation
Verify the FTD packet flow when Routed interfaces are in use.
Solution
FTD Architectural overview
A high-level overview of the FTD data plane is shown in a diagram. It illustrates the packet flow through the ASA engine, Snort engine, and back through the ASA engine, from ingress to egress interface.
A diagram shows the checks performed within each engine. It details the Fast Path and the various security checks like Decrypt, Blacklist, Malware, etc., with options for DROP or ALLOW verdicts.
Key points
- The bottom checks correspond to the FTD LINA engine Data Path.
- The checks inside the blue box correspond to the FTD Snort engine instance.
FTD Routed Interface Overview
- Available only in Routed Deployment.
- Traditional L3 firewall deployment.
- One or more physical or logical (VLAN) routable interfaces.
- Allows features like NAT or Dynamic Routing protocols to be configured.
- Packets are forwarded based on Route Lookup and next hop is resolved based on ARP Lookup.
- Actual traffic can be dropped.
- Full LINA engine checks are applied along with full Snort engine checks.
The packet flow through the LINA and Snort engines is visualized as:
G0/0 -- LINA engine -- Snort engine -- LINA engine -- G0/1
Verify
Trace a Packet on FTD Routed Interface
Network Diagram
A diagram shows Router-1 connected to the NGFW's G0/0.201 interface (192.168.201.x) and the NGFW's G0/1 interface (192.168.202.x) connected to Router-2.
Use packet-tracer with the these parameters to see the applied policies:
- Input Interface: INSIDE
- Protocol/Service: TCP port 80
- Source IP: 192.168.201.1
- Destination IP: 192.168.202.1
Solution
When a Routed interface is used, the packet is processed similarly to a classic ASA Routed interface. Checks like Route Lookup, Modular Policy Framework (MPF), NAT, ARP lookup, etc., take place in the LINA engine Data Path. Additionally, if the Access Control Policy requires it, the packet is inspected by the Snort engine, where a verdict is generated and returned to the LINA engine.
The following CLI command is used:
packet-tracer input INSIDE tcp 192.168.201.100 11111 192.168.202.100 80
The output details the packet processing phases:
- Phase 1: ROUTE-LOOKUP - Resolves the egress interface. Result: ALLOW. Additional Information: Found next-hop 192.168.202.100 using egress ifc OUTSIDE.
- Phase 2: ACCESS-LIST - Applies access lists. Result: ALLOW. Configuration includes access-group CSM_FW_ACL_global and specific access-list rules. Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached.
- Phase 3: CONN-SETTINGS - Manages connection settings. Result: ALLOW.
- Phase 4: NAT - Performs Network Address Translation. Result: ALLOW. Configuration involves connection advanced-options UM_STATIC_TCP_MAP.
- Phase 5: IP-OPTIONS - Handles IP options. Result: ALLOW.
- Phase 6: NAT - Performs per-session NAT. Result: ALLOW.
- Phase 7: IP-OPTIONS - Handles IP options. Result: ALLOW.
- Phase 8: FLOW-CREATION - Creates a new flow. Result: ALLOW. New flow created with id 11336, packet dispatched to next module.
Results:
- Input Interface: INSIDE, Status: up
- Output Interface: OUTSIDE, Status: up
- Action: allow
Note: In phase 4 the packet is checked against a TCP map called UM_STATIC_TCP_MAP. This is the default TCP Map on FTD.
The CLI command show run all tcp-map displays the configuration for TCP maps, including UM_STATIC_TCP_MAP with various settings like no check-retransmission, checksum-verification, etc.
Related Information
Related Documents
 |
Cisco Firepower Compatibility Guide Comprehensive guide detailing Cisco Firepower software and hardware compatibility, including operating system and hosting environment requirements for various models and versions. |
 |
Cisco Secure Firewall Migration Tool Compatibility Guide This guide provides Cisco Secure Firewall software and hardware compatibility, including operating system and hosting environment requirements for migrating from various firewall platforms to Cisco Secure Firewall. |
 |
Cisco ASA Compatibility Guide: Software and Hardware Matrix Comprehensive compatibility guide for Cisco ASA (Adaptive Security Appliance) software and hardware, including ASDM, FXOS, ASAv, Firepower, and various modules. Updated October 5, 2016. |
 |
Reset Admin Password for Cisco Firepower System Comprehensive guide on how to reset the admin password for various Cisco Firepower system components, including Firepower Threat Defense (FTD), ASA FirePOWER Services modules, Firepower Management Centers (FMC), and NGIPSv devices. Covers procedures for lost passwords, CLI and web interface access, and different device models. |
 |
Cisco Secure Firewall Threat Defense Compatibility Guide This guide provides software and hardware compatibility information for Cisco Secure Firewall Threat Defense, covering various hardware models, software versions, and integrated products. |
 |
Cisco ASA Series General Operations ASDM Configuration Guide Comprehensive guide detailing the configuration of Cisco ASA Series devices using the Adaptive Security Device Manager (ASDM), covering general operations, setup, interfaces, security policies, VPNs, and more. |
 |
Cisco IOS XE and Viptela SDWAN Software Support Timeline and EoL Guidelines This document details the support timelines and End-of-Life (EoL) guidelines for Cisco IOS XE Software releases (16.x.x, 17.x.x) and Viptela SDWAN Software releases (19.x.x, 20.x.x), covering release models, naming conventions, support types, and EoL milestones. |
 |
Cisco ASR 1000 Series Release Notes for IOS XE Amsterdam 17.3.x Detailed release notes for Cisco ASR 1000 Series routers running Cisco IOS XE Amsterdam 17.3.x, covering new software features, resolved bugs, and ROMmon release requirements. |