Solved: Firepower Threat Defense Blocking traffic

benolyndav · ‎08-26-2020

Hi

We have several site to site vpns on our new FTD devices i have noticed that if traffic (DNS) originates from the remote 3rd party side of the vpn it gets blocked, e.g servers on the remote end need to hit our DC's so the servers are initiating the request, I thought all traffic would be allowed bidirectional through the tunnel,? I had to explicitly allow on the Outside interface does anyone know why this happens.???

Thankyou

Rob Ingram · ‎08-27-2020

Correct, you would need an explicit ACP rule from 3rd party on "outside" interface to "inside" for when the 3rd party initiates the connection.

You are currently only permitting traffic when initiated from your side of the VPN, the return traffic from the 3rd party will be permitted because the firewall is stateful.

View solution in original post

Rob Ingram · ‎08-26-2020

Hi,
Yes I'd expect you to explicitly permit traffic from outside to inside on the FTD, it works differently to the ASA.
Does the 3rd party normally access your internal network and did you have to explictly permit this other traffic also?

HTH

benolyndav · ‎08-26-2020

Hi Rob

yes 3rd party do access our network on ASA's and no didn't have to explicitly permit on Outside.?

Thanks

Rob Ingram · ‎08-26-2020

Can you provide a screenshot of your ACP that relates to this VPN traffic please.

benolyndav · ‎08-27-2020

Hi Rob

As requested I have obviously obfuscated element’s (see attached)

Here is a summary

Step 1. User launches application which is hosted at 3rd party location across the site to site

Step 2. 3rd party Server needs to talk to Server on our side for authentication to complete

What I could see was traffic (DNS) being blocked and I had to explicitly allow this traffic on the Outside interface in whereas with the ASA we don’t everything is allowed both directions through the Tunnel. Hope this helps

appreciated

benolyndav · ‎08-27-2020

not sure if i attached in previous reply

Rob Ingram · ‎08-27-2020

Hi,

So you are only permitting traffic initated from inside to outside. Yes the return traffic will be permitted....but if the remote site initiated traffic then you do not have a rule for this. You will need to specifically define rules sourced from outside to destination inside.

HTH

benolyndav · ‎08-27-2020

Hi Rob

Thanks again for the info, so its FTD behaviour then as we don't have to do this on our ASA>??

Rob Ingram · ‎08-27-2020

On FTD decrypted traffic is subjected to Access Control Policy by default. This was not the case on ASA, you probably the command no sysopt connection permit-vpn configured on the ASA.

HTH

benolyndav · ‎08-27-2020

Hi Rob

So are you saying that any traffic that comes through the tunnel and is initiated by the 3rd party will need an explicit ACP entry on the Outside Interface, so through the tunnel decrypted then interface check ?????

Thanks

Rob Ingram · ‎08-27-2020

Correct, you would need an explicit ACP rule from 3rd party on "outside" interface to "inside" for when the 3rd party initiates the connection.

You are currently only permitting traffic when initiated from your side of the VPN, the return traffic from the 3rd party will be permitted because the firewall is stateful.