topic Re: FTD ICMP question in Network Security

FTD ICMP question

N3om — Thu, 06 Jun 2024 19:57:06 GMT

To allow icmp to traverse a site to site VPN between 3rd party and us is it just the same as allowing TCP/UDP

or do I have to do something different? I have created a static uni-directional identity nat rule also the traffic is to be initiated from 3rd party to us on ICMP

Thanks

Re: FTD ICMP question

Rob Ingram — Thu, 06 Jun 2024 20:52:41 GMT

@N3om In addition to the NAT exemption rule. The VPN topology needs to allow the traffic between the local/remote networks to establish the VPN tunnel and you need to configure the Access Control rules to explictly permit the ICMP traffic (and anything else).

Re: FTD ICMP question

Marius Gunnerud — Fri, 07 Jun 2024 01:55:32 GMT

Given that the VPN is setup correctly (i.e. Site to site is up, interesting traffic and NAT are defined correctly), then you only need to allow the traffic in the access rules (that is if you are NOT bypassing the outside interface ACL for VPN traffic).

Other consideration if it is still not working is that the remote side also needs to allow for ICMP in the required direction (source --> destination).

Re: FTD ICMP question

N3om — Fri, 07 Jun 2024 11:28:13 GMT

The VPN looks ok I see the correct SA's funny thing is I see the NAT rule counters incrementing and i see pkts encap and decap, but dont see anything in the logs for the source IP from the 3rd party, any ideas on this

Thanks guys

Re: FTD ICMP question

Rob Ingram — Fri, 07 Jun 2024 11:32:16 GMT

@N3om run packet tracer to simulate the traffic flow, this might reveal where the issue is, NAT rule or ACL.

Or use the command "system support firewall-engine-debug" from the CLI of the FTD to capture real traffic (apply a filter to match specific traffic), this will confirm which rule traffic matches.

Re: FTD ICMP question

MHM Cisco World — Fri, 07 Jun 2024 14:08:03 GMT

You use sysop vpn permit?

If yes then you will not see log in evebt log

You need to remove it and add ACL permit ip any any to make FTD detect the traffic and generate log

MHM

Re: FTD ICMP question

N3om — Fri, 07 Jun 2024 18:43:53 GMT

@MHM Cisco World

sysopt is a global setting so cant change for one VPN

Re: FTD ICMP question

N3om — Fri, 07 Jun 2024 18:52:26 GMT

@Rob Ingram

I see nothing when I run system support firewall-engine-debug, when I run packet tracer everything allowed, correct acl,nat etc, but it does say ipsec spoof detected which i have seen before on other vpns I dont think this is the issue do you ??

Re: FTD ICMP question

MHM Cisco World — Fri, 07 Jun 2024 19:29:53 GMT

In ASA it true but for ftd you can bypass or not the ACL for each s2s VPN

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

Anyway' since sysop is run then the traffic bypass the ACL and no log you see.

MHM

Re: FTD ICMP question

Rob Ingram — Sat, 08 Jun 2024 06:36:18 GMT

actually "sysopt connection permit-vpn" is global, not per S2SVPN, despite what the FMC says, there is an open enhancement for this. Regardless, bypassing the ACL is not really a recommended solution nowadays, it's much better to define rules to permit the traffic.

@N3om if nothing is displayed when using the command "support firewall-engine-debug" either no traffic was sent (you need to generate it) or the filter was incorrect. Please provide the output of packet-tracer.

Re: FTD ICMP question

N3om — Mon, 10 Jun 2024 11:26:50 GMT

@Rob Ingram

Sent the requested

Thanks

Re: FTD ICMP question

MHM Cisco World — Thu, 13 Jun 2024 10:36:50 GMT

Sorry what was issue and what is solution of it?

MHM

Re: FTD ICMP question

N3om — Thu, 13 Jun 2024 10:44:40 GMT

@MHM Cisco World
Internal Routing issue which was a question asked by @Rob Ingram in DM after checking over IPSEC SA output.
Thanks

Re: FTD ICMP question

MHM Cisco World — Thu, 13 Jun 2024 10:58:17 GMT

And now you see it log after correct routing?

MHM