Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1504
Views
0
Helpful
5
Replies

Cisco firepower site to site VPN

Go to solution
shaikh.zaid22
Level 1
Level 1

‎02-19-2023 11:52 PM

Hi all,

I have a site to site vpn established between CIsco FTD  and Fortinet firewall (In Azure).

I am facing issue in traffic leaving the fortinet firewall through the ipsecvpn tunnel interface, however, i am not seeing any traffic on the firepower, also nat policy is not hitting.

Server is in azure --> source 192.168.0.10-->dst 10.10.10.21--> NAT in CIsco firepower and ACL then outside interface.

Need help

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shaikh.zaid22
Level 1
Level 1
In response to shaikh.zaid22

‎02-20-2023 04:10 AM

Hi Rob,

the issue got resolved, actually the ip add 192.168.0.10 was conflicting with one of the internal subnet onto which a PBR is running. Hence, we have configured a NAT internally in azure and brought the trafiic to the FTD with another ip address range.

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-20-2023 12:12 AM

@shaikh.zaid22 is the VPN actually established? On the FTD run "show crypto ipsec sa" provide the output for review.

If the VPN is not established then run debugs and provide the output.

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

Provide screenshot of your ACP and VPN configuration on the firepower.

0 Helpful

Go to solution
shaikh.zaid22
Level 1
Level 1
In response to Rob Ingram

‎02-20-2023 12:15 AM

thanks Rob,

Yes VPN is established since long, we have just added the new selector network on both sides.

the crypto ikev2 sa shows the tunnel is active and all selectors as well.

i dont know the why packets are not coming-in whilst i do continuos capture in fmc

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to shaikh.zaid22

‎02-20-2023 12:18 AM

@shaikh.zaid22 provide some information to help us troubleshoot.

What selectors did you add?

Did you amend the ACP to permit the traffic?

Run packet-tracer from the CLI to simulate the traffic flow, provide the output for review.

0 Helpful

Go to solution
shaikh.zaid22
Level 1
Level 1
In response to Rob Ingram

‎02-20-2023 12:28 AM

i added the selector below

local selector 10.241.53.10 255.255.255.255

remote selector 192.168.0.0 255.255.0.0

NAT and ACL is configured.

the traffic flow is from (Fortinet in azure192.168.0. 10 to 10.241.53.10) ---> (tunnel terminate on FTD incoming traffic 192.168.0.10---> NATted to 10.94.61.35--->dst ip--->10.241.53.10) then ACL allowed any source to dst ip 10.241.53.10 on port 443.

0 Helpful

Go to solution
shaikh.zaid22
Level 1
Level 1
In response to shaikh.zaid22

‎02-20-2023 04:10 AM

Hi Rob,

the issue got resolved, actually the ip add 192.168.0.10 was conflicting with one of the internal subnet onto which a PBR is running. Hence, we have configured a NAT internally in azure and brought the trafiic to the FTD with another ip address range.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card