Solved: FTD ICMP question

N3om · ‎06-06-2024

Hi

To allow icmp to traverse a site to site VPN between 3rd party and us is it just the same as allowing TCP/UDP

or do I have to do something different? I have created a static uni-directional identity nat rule also the traffic is to be initiated from 3rd party to us on ICMP

Thanks

Rob Ingram · ‎06-07-2024

actually "sysopt connection permit-vpn" is global, not per S2SVPN, despite what the FMC says, there is an open enhancement for this. Regardless, bypassing the ACL is not really a recommended solution nowadays, it's much better to define rules to permit the traffic.

@N3om if nothing is displayed when using the command "support firewall-engine-debug" either no traffic was sent (you need to generate it) or the filter was incorrect. Please provide the output of packet-tracer.

View solution in original post

Rob Ingram · ‎06-06-2024

@N3om In addition to the NAT exemption rule. The VPN topology needs to allow the traffic between the local/remote networks to establish the VPN tunnel and you need to configure the Access Control rules to explictly permit the ICMP traffic (and anything else).

Marius Gunnerud · ‎06-06-2024

Given that the VPN is setup correctly (i.e. Site to site is up, interesting traffic and NAT are defined correctly), then you only need to allow the traffic in the access rules (that is if you are NOT bypassing the outside interface ACL for VPN traffic).

Other consideration if it is still not working is that the remote side also needs to allow for ICMP in the required direction (source --> destination).

--
Please remember to select a correct answer and rate helpful posts

N3om · ‎06-07-2024

The VPN looks ok I see the correct SA's funny thing is I see the NAT rule counters incrementing and i see pkts encap and decap, but dont see anything in the logs for the source IP from the 3rd party, any ideas on this

Thanks guys

Rob Ingram · ‎06-07-2024

@N3om run packet tracer to simulate the traffic flow, this might reveal where the issue is, NAT rule or ACL.

Or use the command "system support firewall-engine-debug" from the CLI of the FTD to capture real traffic (apply a filter to match specific traffic), this will confirm which rule traffic matches.

N3om · ‎06-07-2024

@Rob Ingram

I see nothing when I run system support firewall-engine-debug, when I run packet tracer everything allowed, correct acl,nat etc, but it does say ipsec spoof detected which i have seen before on other vpns I dont think this is the issue do you ??

MHM Cisco World · ‎06-07-2024

You use sysop vpn permit?

If yes then you will not see log in evebt log

You need to remove it and add ACL permit ip any any to make FTD detect the traffic and generate log

MHM

N3om · ‎06-07-2024

@MHM Cisco World

sysopt is a global setting so cant change for one VPN

MHM Cisco World · ‎06-07-2024

In ASA it true but for ftd you can bypass or not the ACL for each s2s VPN

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

Anyway' since sysop is run then the traffic bypass the ACL and no log you see.

MHM

Rob Ingram · ‎06-07-2024

actually "sysopt connection permit-vpn" is global, not per S2SVPN, despite what the FMC says, there is an open enhancement for this. Regardless, bypassing the ACL is not really a recommended solution nowadays, it's much better to define rules to permit the traffic.

@N3om if nothing is displayed when using the command "support firewall-engine-debug" either no traffic was sent (you need to generate it) or the filter was incorrect. Please provide the output of packet-tracer.

N3om · ‎06-10-2024

@Rob Ingram

Sent the requested

Thanks

MHM Cisco World · ‎06-13-2024

Sorry what was issue and what is solution of it?

MHM

N3om · ‎06-13-2024

@MHM Cisco World
Internal Routing issue which was a question asked by @Rob Ingram in DM after checking over IPSEC SA output.
Thanks

MHM Cisco World · ‎06-13-2024

And now you see it log after correct routing?

MHM