topic Re: cannot access secure web with site-to-site vpn in Network Security

cannot access secure web with site-to-site vpn

kenjitkc185 — Fri, 21 Feb 2020 15:40:19 GMT

I'm using Cisco FTD 2120 and managed by FMC. I have site-to-site VPN between two sites. Site A(10.60.76.0) is an HQ and Site B(192.168.1.0) is a branch. In Site B i can ssh to Site A server IP address 10.60.76.31 but i cannot access secure web server ip 10.60.76.31. how to i capture the packet to find out any drop in FTD? or anything i can do to trace or find out the packet had being dropped.

Thank you

Regards,

Kenji Tan

Re: cannot access secure web with site-to-site vpn

Dennis Mink — Thu, 26 Apr 2018 08:28:18 GMT

on your ftd go to analysis>connections>events and do a search based on initiator or responder IP

Re: cannot access secure web with site-to-site vpn

kenjitkc185 — Thu, 26 Apr 2018 12:13:33 GMT

Hi Dennis

I put in initiator ip address 192.168.1.163 and responder ip address 10.60.76.31. There are no blocking between this two device but the page still not loaded. Any else to check.

Thank you

Re: cannot access secure web with site-to-site vpn

Dennis Mink — Thu, 26 Apr 2018 12:51:29 GMT

Ok so you know the tunnel is up, you see the remote traffic coming in. I d spin up wireshark on your webserver or run a tcpdump other wise and see if the traffic is actually reaching the web server on port 443

Re: cannot access secure web with site-to-site vpn

Marius Gunnerud — Thu, 26 Apr 2018 19:58:05 GMT

Could also configure a debug or capture at the HQ to see if the traffic is leaving the inside interface.

FTD CLI issue the command system support firewall-engine-debug enter ther server IP and client IP leave the protocol blank unless you really need to be that specific. then run a test. and see if there is any output on the debug. You might be hitting a rule in Security Intelligence which will be shown here.

You can also go into system support diagnostic-cli and run a capture between the two IPs. This will not show the Snort actions as the debug command will.

Re: cannot access secure web with site-to-site vpn

kenjitkc185 — Fri, 27 Apr 2018 05:13:18 GMT

i issued the 'system support firewall-engine-debug' with server IP 10.60.76.31 and client IP 192.168.1.163 with protocol I leave it blank. I also ran the 'system support diagnostic-cli' with 'capture cap1 interface Internal match ip host 10.60.76.31 host 192.168.1.163'. I still not able to find out where the issue. the page is still not loaded in client machine 192.168.1.163.

Thanks

Re: cannot access secure web with site-to-site vpn

Marius Gunnerud — Fri, 27 Apr 2018 06:25:56 GMT

In the packet capture we see traffic flowing in both directs and nothing in the debug indicates a drop on the FTD either.

What is the URL you are trying to access the website with?

Are you able to access this URL from a PC on the same subnet as the webserver?

What device is used to terminate the VPN at the remote site?

Re: cannot access secure web with site-to-site vpn

kenjitkc185 — Fri, 27 Apr 2018 06:49:27 GMT

What is the URL you are trying to access the website with?

i'm using the ip address "https://10.60.76.31" which is a Cisco FMC using the browser (IE, chrome).

Are you able to access this URL from a PC on the same subnet as the webserver?

i have no issue to access from Server "10.60.76.28" to the Cisco FMC "10.60.76.31"

What device is used to terminate the VPN at the remote site?

is a Watchguard M200

Thank

Re: cannot access secure web with site-to-site vpn

kenjitkc185 — Fri, 27 Apr 2018 06:59:52 GMT

I change the Default Action in Access Control to 'Intrusion Prevention: Connectivity Over Security' from 'Access Control: Block All Traffic'. after the changed secure webpage https://10.60.76.31 can be loaded in the client machine 192.168.1.163. how do i check from here if i would to use 'Access Control: Block All Traffic' as default Action.