Cisco FTD Routing

jewell2j · ‎04-01-2021

Hi everybody! I'm trying to wrap my head around a network design shown in the attachment. Essentially, it will be hub and spoke utilizing the FP2100 platform funning FTD. I haven't used FTD before and I'm having trouble getting the 'Gray Site to Site VPN to establish. I've done this multiple times with various models from the ISR platform, but with FTD, I'm hitting a wall. Since it would seem that by design, the interfaces from inside to outside can't ping each other, I'm not sure how to troubleshoot this. I'm guessing the routing is the problem, but I'm not sure what I'm doing wrong. Any advice on how to get this to work would be greatly appreciated. Thanks for your time.

Rob Ingram · ‎04-01-2021

@jewell2j

You are correct, you cannot be connected to the inside interface and ping the outside interface of the same FTD.

Can you also expand on what is not working?

Marvin Rhoads · ‎04-01-2021

Similar logic to ASA and IOS-based VPNs applies.

1. Verify that the peers can communicate to each other. 10.10.3.2/30 to 10.10.3.42/30 in your case. Since you have hub and spoke firewall in between, verify that they aren;t doing any packet mangling or inspections that would prevent the necessary flows (at a minimum ESP and udp/500 and possibly udp/4500, recommend allowing icmp at least for troubleshooting)

2. Verify interesting traffic is being introduced at one end or the other to trigger VPN establishment. With FTD (and ASA) you can use packet-tracer command (normally from cli but it's also available as advanced troubleshooting tool under the device health monitor) to verify the flow matches what's desired.

3. Verify with show crypto xxx and debug commands the observed behavior (assuming #1 and #2 have checked out).

jewell2j · ‎04-02-2021

Thanks for some tips to get me started. I'll check this out and post the results. Much appreciated!

jewell2j · ‎04-07-2021

Okay, so the hub and spoke have been problematic using these firewalls. I disconnected the 'Gray VPN' devices from each side and connected laptops set with IPs for the outside interfaces, 10.10.3.2/30 and 10.10.3.42 for the respective hub and spoke sides. Connectivity to the next hop was fine. The laptop on the hub side with 3.2/30 address was able to ping the outside interface of the spoke a 1.90, but the same pink for the laptop on the spoke side with 3.42/30 address was not able to ping across to the 1.89 address. These are both 2100 series devices new from the box.

The routes I put are as follows:

HUB

route outside 10.10.3.40 255.255.255.252 10.10.1.90 1

SPOKE

route outside 10.10.3.0 255.255.255.252 10.10.1.89 1

If I remove the route from the spoke, the ping from the Hub laptop stops working. Add the route back, and the ping works.

However, the ping from the Spoke laptop never works. I'm not sure what I'm doing wrong. Any help please?

Marvin Rhoads · ‎04-09-2021

I would check a packet capture with trace on the Spoke Firepower 2110. The option to set that up can be found under the health monitor, advanced troubleshooting section of FMC.