cannot access secure web with site-to-site vpn

kenjitkc185 · ‎04-26-2018

Hi

I'm using Cisco FTD 2120 and managed by FMC. I have site-to-site VPN between two sites. Site A(10.60.76.0) is an HQ and Site B(192.168.1.0) is a branch. In Site B i can ssh to Site A server IP address 10.60.76.31 but i cannot access secure web server ip 10.60.76.31. how to i capture the packet to find out any drop in FTD? or anything i can do to trace or find out the packet had being dropped.

Thank you

Regards,

Kenji Tan

Dennis Mink · ‎04-26-2018

on your ftd go to analysis>connections>events and do a search based on initiator or responder IP

Please remember to rate useful posts, by clicking on the stars below.

kenjitkc185 · ‎04-26-2018

Hi Dennis

I put in initiator ip address 192.168.1.163 and responder ip address 10.60.76.31. There are no blocking between this two device but the page still not loaded. Any else to check.

Thank you

Dennis Mink · ‎04-26-2018

Ok so you know the tunnel is up, you see the remote traffic coming in. I d spin up wireshark on your webserver or run a tcpdump other wise and see if the traffic is actually reaching the web server on port 443

Please remember to rate useful posts, by clicking on the stars below.

Marius Gunnerud · ‎04-26-2018

Could also configure a debug or capture at the HQ to see if the traffic is leaving the inside interface.

FTD CLI issue the command system support firewall-engine-debug enter ther server IP and client IP leave the protocol blank unless you really need to be that specific. then run a test. and see if there is any output on the debug. You might be hitting a rule in Security Intelligence which will be shown here.

You can also go into system support diagnostic-cli and run a capture between the two IPs. This will not show the Snort actions as the debug command will.

--
Please remember to select a correct answer and rate helpful posts

kenjitkc185 · ‎04-26-2018

Hi

i issued the 'system support firewall-engine-debug' with server IP 10.60.76.31 and client IP 192.168.1.163 with protocol I leave it blank. I also ran the 'system support diagnostic-cli' with 'capture cap1 interface Internal match ip host 10.60.76.31 host 192.168.1.163'. I still not able to find out where the issue. the page is still not loaded in client machine 192.168.1.163.

Thanks

Marius Gunnerud · ‎04-26-2018

In the packet capture we see traffic flowing in both directs and nothing in the debug indicates a drop on the FTD either.

What is the URL you are trying to access the website with?

Are you able to access this URL from a PC on the same subnet as the webserver?

What device is used to terminate the VPN at the remote site?

--
Please remember to select a correct answer and rate helpful posts

kenjitkc185 · ‎04-26-2018

Hi

What is the URL you are trying to access the website with?

i'm using the ip address "https://10.60.76.31" which is a Cisco FMC using the browser (IE, chrome).

Are you able to access this URL from a PC on the same subnet as the webserver?

i have no issue to access from Server "10.60.76.28" to the Cisco FMC "10.60.76.31"

What device is used to terminate the VPN at the remote site?

is a Watchguard M200

Thank

kenjitkc185 · ‎04-26-2018

Hi

I change the Default Action in Access Control to 'Intrusion Prevention: Connectivity Over Security' from 'Access Control: Block All Traffic'. after the changed secure webpage https://10.60.76.31 can be loaded in the client machine 192.168.1.163. how do i check from here if i would to use 'Access Control: Block All Traffic' as default Action.