topic Re: POLICY-BASED ROUTING- FTD in Network Security

POLICY-BASED ROUTING- FTD

fmugambi — Wed, 23 Apr 2025 15:52:09 GMT

Hello Team,
I have topology as attached,

I have introduced another interface on the ftd [172.16.40.25] . this is where have configured the new tunnel to the branch site.

on the asa have natted 41.206.58.2> 172.16.40.25 on 4500/500 services.

i then use the asa outside interface as peer on the branch site, ideally doing port-forwarding.

the challenge is the branch site vpn only comes up when i ammend the default route to 0.0.0.0/0 172.16.40.29, which is not what i want. i want the default route remain 0.0.0.0/0 102.6.239.9 , then have a policy-route for remote branch traffic/ response to the branch peer, for the vpn tunnel to come up.

when i capture traffic from branch office on the asa, am able to see traffic , but no response traffic from ftd.

i have created a pbr on ftd saying traffic destined for branch office with source as ftd [172.16.40.25] be sent to next hop 172.16.40.29.

but using capture i see this traffic trying to flow over the dmz-ipsec zone.

what could i be missing.

Thank you in advance.

Re: POLICY-BASED ROUTING- FTD

Rob Ingram — Wed, 23 Apr 2025 18:04:41 GMT

@fmugambi what have you configured, can you provide screenshots.

Run packet-tracer from the CLI to simulate the traffic flow, it will show all the steps and indicate where the issue is.

Check your NAT configuration to ensure traffic is not unintentially translated. The packet-tracer output would confirm which NAT rule traffic matched (if any).

Re: POLICY-BASED ROUTING- FTD

fmugambi — Thu, 24 Apr 2025 05:21:14 GMT

ICOLO-FTDv# packet-tracer input Icolo_to_GCP udp 172.16.40.25 500 34.242.85.1 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 40140 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14c15c128f90, priority=1, domain=permit, deny=false
hits=1046943, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Icolo_to_GCP, output_ifc=any

Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Elapsed time: 76266 ns
Config:
route-map FMC_GENERATED_PBR_1744811918364 permit 5
match ip address FTDv-To-GCP
set ip next-hop 172.16.40.29
Additional Information:
Matched route-map FMC_GENERATED_PBR_1744811918364, sequence 5, permit
Found next-hop 172.16.40.29 using egress ifc Icolo_to_GCP

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 21742 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14c15c138a30, priority=501, domain=permit, deny=true
hits=3066, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.16.40.25, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Icolo_to_GCP(vrfid:0), output_ifc=any

Result:
input-interface: Icolo_to_GCP(vrfid:0)
input-status: up
input-line-status: up
output-interface: Icolo_to_GCP(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 138148 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000562c256fd518 flow (NA)/NA

Re: POLICY-BASED ROUTING- FTD

fmugambi — Mon, 28 Apr 2025 09:52:35 GMT

hello @Rob Ingram was this helpful?