Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
0
Helpful
9
Replies

Site-to-Site tunnel from onprem firepower and firepower in Azure

isoto
Level 1
Level 1

‎08-08-2022 06:02 AM

Hello everyone,

I am trying to setup a site-to-site tunnel to connect a physical onprem Cisco Firepower to a virtual Cisco Firepower in Azure. I have tried sooo much and cant get it to work. I have configure the interfaces with attaching a public ip address to the outside interface GigabitEthernet0/0. I've also tried some static routes. Do anyone have any experience with this

2022-08-08 05_56_58-Window.png2022-08-08 05_59_11-Window.png2022-08-08 05_59_42-Window.png

I can ping the internet from the Azure firewall

2022-08-08 05_57_26-Window.png

Labels:
0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎08-08-2022 06:11 AM

Do you have reachability between FTD on prem to Azure FTD ?

check below thread : enable debug and check.

https://community.cisco.com/t5/vpn/azure-s2s-vpn-with-firepower-fmc-ftd/td-p/3353513

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

isoto
Level 1
Level 1

‎08-08-2022 06:19 AM

I have no reachability. The Azure firewall if pingable, but from what I can see traffic is not routed from the attached public IP address to the local address on the interface. The site-to-site configuration on both sides is setup identical with protocol and PSK, but no connection is established

0 Helpful

isoto
Level 1
Level 1

‎08-08-2022 06:21 AM

If I try to make a tunnel to a "Azure Virtual Gateway" I get the connection, but the routing isnt correct. But if I try to setup a tunnel to the firewall's PIP directly it does not work. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-08-2022 06:59 AM

Is there an Azure NSG in front of your Azure firewall If so, you must allow all IP traffic to the firewall's outside address. An NSG doesn't have the fine grained control to only allow the required ESP (protocol 50) and udp/500 and udp/4500 ports.

0 Helpful

isoto
Level 1
Level 1
In response to Marvin Rhoads

‎08-08-2022 07:10 AM - edited ‎08-08-2022 07:15 AM

Sorry my original reply was incorrect. Yes there is an NSG and has both 500 and 4500 allow in inbound. I will add 50 to the inbound

---Note--

I added 50 and still no luck

2022-08-08 07_15_36-Window.png

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-08-2022 08:15 AM

It's IP protocol 50 (IPsec Encapsulating Security Payload or ESP) - not a UDP (or TCP) port that's required.

Last I checked NSG's don't allow you to select the IP protocols allowed (apart udp (protocol 17) and tcp (protocol 6)), so we need to allow all incoming traffic to the firewall.

0 Helpful

isoto
Level 1
Level 1

‎08-08-2022 05:31 PM

I actually opened it up to "any" and am still not getting the site to site to establish a connection. I run show crypto isakmp sa and not connection.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to isoto

‎08-08-2022 07:25 PM

Do you see the connection being attempted when interesting traffic is presented to the firewall at one end. For example, does a packet capture filtered on the remote site firewall's address show it trying to setup the VPN?

0 Helpful

manofsteel03
Level 1
Level 1

‎08-08-2022 10:20 PM

Have you enabled additional syslog IDs like the ones below on the Firepower to capture additional informational to help further troubleshoot the issue?

750003 
750002
713050
713259
713123
713019
713119
713120
113019
402116

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card