cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
598
Views
7
Helpful
13
Replies

FTD ICMP question

N3om
Level 1
Level 1

Hi

To allow icmp to traverse a site to site VPN between 3rd party and us is it just the same as allowing TCP/UDP 

or do I have to do something different? I have created a static uni-directional identity nat rule also the traffic is to be initiated from 3rd party to us on ICMP

 

Thanks

1 Accepted Solution

Accepted Solutions

actually "sysopt connection permit-vpn" is global, not per S2SVPN, despite what the FMC says, there is an open enhancement for this. Regardless, bypassing the ACL is not really a recommended solution nowadays, it's much better to define rules to permit the traffic.

@N3om if nothing is displayed when using the command "support firewall-engine-debug" either no traffic was sent (you need to generate it) or the filter was incorrect. Please provide the output of packet-tracer.

View solution in original post

13 Replies 13

@N3om In addition to the NAT exemption rule. The VPN topology needs to allow the traffic between the local/remote networks to establish the VPN tunnel and you need to configure the Access Control rules to explictly permit the ICMP traffic (and anything else).

 

Given that the VPN is setup correctly (i.e. Site to site is up, interesting traffic and NAT are defined correctly), then you only need to allow the traffic in the access rules (that is if you are NOT bypassing the outside interface ACL for VPN traffic).

Other consideration if it is still not working is that the remote side also needs to allow for ICMP in the required direction (source --> destination).

--
Please remember to select a correct answer and rate helpful posts

The VPN looks ok I see the correct SA's funny thing is I see the NAT rule counters incrementing and i see pkts encap and decap, but dont see anything in the logs for the source IP from the 3rd party, any ideas on this

Thanks guys

@N3om run packet tracer to simulate the traffic flow, this might reveal where the issue is, NAT rule or ACL.

Or use the command "system support firewall-engine-debug" from the CLI of the FTD to capture real traffic (apply a filter to match specific traffic), this will confirm which rule traffic matches.

@Rob Ingram 

I see nothing when I run system support firewall-engine-debug, when I run packet tracer everything allowed, correct acl,nat etc, but it does say ipsec spoof detected which i have seen before on other vpns I dont think this is the issue do you ??

You use sysop vpn permit?

If yes then you will not see log in evebt log 

You need to remove it and add ACL permit ip any any to make FTD detect the traffic and generate log

MHM

@MHM Cisco World 

sysopt is a global setting so cant change for one VPN

In ASA it true but for ftd you can bypass or not the ACL for each s2s VPN

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

Anyway' since sysop is run then the traffic bypass the ACL and no log you see.

MHM

actually "sysopt connection permit-vpn" is global, not per S2SVPN, despite what the FMC says, there is an open enhancement for this. Regardless, bypassing the ACL is not really a recommended solution nowadays, it's much better to define rules to permit the traffic.

@N3om if nothing is displayed when using the command "support firewall-engine-debug" either no traffic was sent (you need to generate it) or the filter was incorrect. Please provide the output of packet-tracer.

@Rob Ingram 

Sent the requested

Thanks

Sorry what was issue and what is solution of it?

MHM

@MHM Cisco World 
Internal Routing issue which was a question asked by @Rob Ingram in DM after checking over IPSEC SA output.
Thanks

And now you see it log after correct routing? 

MHM

Review Cisco Networking for a $25 gift card