topic Site-to-Site tunnel from onprem firepower and firepower in Azure in Network Security

Site-to-Site tunnel from onprem firepower and firepower in Azure

isoto — Mon, 08 Aug 2022 13:02:06 GMT

Hello everyone,

I am trying to setup a site-to-site tunnel to connect a physical onprem Cisco Firepower to a virtual Cisco Firepower in Azure. I have tried sooo much and cant get it to work. I have configure the interfaces with attaching a public ip address to the outside interface GigabitEthernet0/0. I've also tried some static routes. Do anyone have any experience with this

I can ping the internet from the Azure firewall

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

balaji.bandi — Mon, 08 Aug 2022 13:11:00 GMT

Do you have reachability between FTD on prem to Azure FTD ?

check below thread : enable debug and check.

https://community.cisco.com/t5/vpn/azure-s2s-vpn-with-firepower-fmc-ftd/td-p/3353513

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

isoto — Mon, 08 Aug 2022 13:19:02 GMT

I have no reachability. The Azure firewall if pingable, but from what I can see traffic is not routed from the attached public IP address to the local address on the interface. The site-to-site configuration on both sides is setup identical with protocol and PSK, but no connection is established

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

isoto — Mon, 08 Aug 2022 13:21:42 GMT

If I try to make a tunnel to a "Azure Virtual Gateway" I get the connection, but the routing isnt correct. But if I try to setup a tunnel to the firewall's PIP directly it does not work.

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

Marvin Rhoads — Mon, 08 Aug 2022 13:59:32 GMT

Is there an Azure NSG in front of your Azure firewall If so, you must allow all IP traffic to the firewall's outside address. An NSG doesn't have the fine grained control to only allow the required ESP (protocol 50) and udp/500 and udp/4500 ports.

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

isoto — Mon, 08 Aug 2022 14:15:54 GMT

Sorry my original reply was incorrect. Yes there is an NSG and has both 500 and 4500 allow in inbound. I will add 50 to the inbound

---Note--

I added 50 and still no luck

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

Marvin Rhoads — Mon, 08 Aug 2022 15:15:37 GMT

It's IP protocol 50 (IPsec Encapsulating Security Payload or ESP) - not a UDP (or TCP) port that's required.

Last I checked NSG's don't allow you to select the IP protocols allowed (apart udp (protocol 17) and tcp (protocol 6)), so we need to allow all incoming traffic to the firewall.

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

isoto — Tue, 09 Aug 2022 00:31:45 GMT

I actually opened it up to "any" and am still not getting the site to site to establish a connection. I run show crypto isakmp sa and not connection.

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

Marvin Rhoads — Tue, 09 Aug 2022 02:25:33 GMT

Do you see the connection being attempted when interesting traffic is presented to the firewall at one end. For example, does a packet capture filtered on the remote site firewall's address show it trying to setup the VPN?

Re: Site-to-Site tunnel from onprem firepower and firepower in Azure

manofsteel03 — Tue, 09 Aug 2022 05:20:06 GMT

Have you enabled additional syslog IDs like the ones below on the Firepower to capture additional informational to help further troubleshoot the issue?

750003
750002
713050
713259
713123
713019
713119
713120
113019
402116