06-06-2024 12:57 PM
Hi
To allow icmp to traverse a site to site VPN between 3rd party and us is it just the same as allowing TCP/UDP
or do I have to do something different? I have created a static uni-directional identity nat rule also the traffic is to be initiated from 3rd party to us on ICMP
Thanks
Solved! Go to Solution.
06-07-2024 11:36 PM
actually "sysopt connection permit-vpn" is global, not per S2SVPN, despite what the FMC says, there is an open enhancement for this. Regardless, bypassing the ACL is not really a recommended solution nowadays, it's much better to define rules to permit the traffic.
@N3om if nothing is displayed when using the command "support firewall-engine-debug" either no traffic was sent (you need to generate it) or the filter was incorrect. Please provide the output of packet-tracer.
06-06-2024 01:52 PM
@N3om In addition to the NAT exemption rule. The VPN topology needs to allow the traffic between the local/remote networks to establish the VPN tunnel and you need to configure the Access Control rules to explictly permit the ICMP traffic (and anything else).
06-06-2024 06:55 PM
Given that the VPN is setup correctly (i.e. Site to site is up, interesting traffic and NAT are defined correctly), then you only need to allow the traffic in the access rules (that is if you are NOT bypassing the outside interface ACL for VPN traffic).
Other consideration if it is still not working is that the remote side also needs to allow for ICMP in the required direction (source --> destination).
06-07-2024 04:28 AM
The VPN looks ok I see the correct SA's funny thing is I see the NAT rule counters incrementing and i see pkts encap and decap, but dont see anything in the logs for the source IP from the 3rd party, any ideas on this
Thanks guys
06-07-2024 04:32 AM
@N3om run packet tracer to simulate the traffic flow, this might reveal where the issue is, NAT rule or ACL.
Or use the command "system support firewall-engine-debug" from the CLI of the FTD to capture real traffic (apply a filter to match specific traffic), this will confirm which rule traffic matches.
06-07-2024 11:52 AM
I see nothing when I run system support firewall-engine-debug, when I run packet tracer everything allowed, correct acl,nat etc, but it does say ipsec spoof detected which i have seen before on other vpns I dont think this is the issue do you ??
06-07-2024 07:08 AM
You use sysop vpn permit?
If yes then you will not see log in evebt log
You need to remove it and add ACL permit ip any any to make FTD detect the traffic and generate log
MHM
06-07-2024 11:43 AM
sysopt is a global setting so cant change for one VPN
06-07-2024 12:29 PM
In ASA it true but for ftd you can bypass or not the ACL for each s2s VPN
Anyway' since sysop is run then the traffic bypass the ACL and no log you see.
MHM
06-07-2024 11:36 PM
actually "sysopt connection permit-vpn" is global, not per S2SVPN, despite what the FMC says, there is an open enhancement for this. Regardless, bypassing the ACL is not really a recommended solution nowadays, it's much better to define rules to permit the traffic.
@N3om if nothing is displayed when using the command "support firewall-engine-debug" either no traffic was sent (you need to generate it) or the filter was incorrect. Please provide the output of packet-tracer.
06-10-2024 04:26 AM
06-13-2024 03:36 AM
Sorry what was issue and what is solution of it?
MHM
06-13-2024 03:44 AM
@MHM Cisco World
Internal Routing issue which was a question asked by @Rob Ingram in DM after checking over IPSEC SA output.
Thanks
06-13-2024 03:58 AM
And now you see it log after correct routing?
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide