FTD VPN Issue

N3om · ‎05-31-2024

Hi Guys

So we have an already working Site to Site VPN on our FTD, I have ran into an issue with the FTD I have added a couple of IP Addresses in the config and added an ACL allowing RDP and also used the same NAT rule as the working IPs, when I run packet tracer its says VPN Block but when I look at the connections when running packet tracer it show the traffic blocked, any idea why the ACL in the packetracer is Allow but in connection logs its blocking and VPN says Block in packe tracer.??

Thanks

balaji.bandi · ‎05-31-2024

You need show us some screenshot to understand - other than new added ACL and NAT, before you have anything working ?

if this is S2S VPN do you have other side also should have same kind of rule to get the traffic in.

Packet tracer is just to see the flows , have you tried real time try to access RDP from or to clients ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎06-01-2024

can I see the packet-tracer you use and it result ?

MHM

N3om · ‎06-02-2024

> packet-tracer input INSIDE tcp 10.90.90.45 34654 172.16.105.137 3389

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (INTERNET,INSIDE) source static Cloud-External-PRI Cloud-External-PRI destination static Cloud-Group Cloud-Group

Additional Information:

NAT divert to egress interface INTERNET(vrfid:0)

Untranslate 172.16.105.137/3389 to 172.16.105.137/3389

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced permit ip any ifc INTERNET any rule-id 268446727

access-list CSM_FW_ACL_ remark rule-id 268446727: ACCESS POLICY: ACCESS_CONTROL_POLICY - Mandatory

Additional Information:

This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection advanced-options UM_STATIC_TCP_MAP

service-policy global_policy global

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (INTERNET,INSIDE) source static Cloud-External-PRI Cloud-External-PRI destination static Cloud-Group Cloud-Group

Additional Information:

Static translate 10.90.90.45/34654 to 10.90.90.45/34654

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-EXPORT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: INSIDE(vrfid:0)

input-status: up

input-line-status: up

output-interface: INTERNET(vrfid:0)

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaada3b8e8 flow (NA)/NA

MHM Cisco World · ‎06-02-2024

Do the packet tracer again share result

Also can I see the NAT you use? Why you not use inside as sourcr interface?

MHM

N3om · ‎06-02-2024

The nat is bidirectional the rule states INTERNET- INSIDE

MHM Cisco World · ‎06-02-2024

Yes i know that' how yoh config it

Is it auto or manaul NAT?

MHM

N3om · ‎06-02-2024

Manual NAT

MHM Cisco World · ‎06-02-2024

Do packet tracer again and share result.

With

Debug crypto isakmp 127

If you run IKEv1

MHM

N3om · ‎06-02-2024

Its IKEv2

MHM Cisco World · ‎06-02-2024

Debug crypto ikev2 protocol 9

MHM