Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
3
Replies

FTD 2130 Blocking Inbound SSL Traffic Passing thru to an Internal ASA

PatrickCavell85782
Level 1
Level 1

‎11-10-2022 01:38 PM

Replacing a customer's enterprise ASA with FP Services firewall with a new 2130 FTD. Current FW configured to allow SSL/AnyConnect traffic inbound from Outside interface to pass through to an internal ASA Headend. This has been working fine for years. As an aside we have a static public NAT configured on the FTD for the internal ASA.

Replicated the same config, as close as possible, on the new 2130 FTD but the FTD seems to block the traffic. Not seeing anything in the FTD logs. However, when traffic is configured for Fastpath, it still seems to be blocked but now shows up in FTD logs.

Any idea what config knob we might need to tweak to get around this and allow the AnyConnect traffic to work?

Thanks for any guidance.

 

 

 

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎11-10-2022 01:46 PM

@PatrickCavell85782 if using SSL/TLS then AnyConnect would need TCP/443 and UDP/443, if using IPSec then UDP/500 and UDP/4500 would need to be permitted on the FTD.

On the FTD (in front of the ASA) from the CLI run the command system support firewall-engine-debug and filter on the source IP or destination IP address (of the ASA) and attempt to connect to the ASA using AnyConnect. This should tell you want rules are being hit (or not) - this should provide a clue.

You could also run packet-tracer from the CLI of the FTD to simulate the traffic flow to the ASA, this might provide a clue if an issue with the ACP rule or NAT.

I assume the FTD is setup with the correct routes and traffic is routed to the ASA and back?

0 Helpful

PatrickCavell85782
Level 1
Level 1

‎11-14-2022 01:11 PM

Unfortunately that did not solve the problem. We are using SSL and had already included both TCP/443 and UDP/443 in the ACL's. Also ran the suggested debug and it is showing "allowed". Suspecting something going on in the Snort process.

Confirmed that routing to/from ASA is correct.

0 Helpful

Rob Ingram
VIP
VIP
In response to PatrickCavell85782

‎11-14-2022 01:25 PM - edited ‎11-14-2022 01:27 PM

@PatrickCavell85782 and what about packet-tracer did that confirm traffic hit the correct NAT rules etc?

What about running a packet capture on the ASA behind the FTD, does it even see the incoming traffic?

If you are fastpathing the traffic it would bypass snort.

When you run the traffic through the ACP, if you saw nothing in the logs, did you have logging enabled at start of connection?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card