cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1260
Views
5
Helpful
5
Replies

Transparent FTD inside GRE Tunnel

williaat0125
Level 1
Level 1

We have an FPR 2110 (running version 7.0.1) managed by an FMC 1600, configured as:

Transparent mode; Inline set for the inside and outside port. The GRE tunnel terminates on two L3 cisco switches, so we are not trying to terminate a GRE tunnel from a FTD device (we know you can't do this). We choose the transparent inline because it allowed for an easier connection without adding additonal networks or network addressing rework.

The FTD is on our edge. This is a private company network isolated from the internet (by design). We use EIGRP routing over GRE tunnels. Our zero clients in our LAN cannot connect with the remote horizon server. When we fastpath the GRE tunnel traffic, everything works. However, this defeats the purpose of an edge IPS device. Also, our FTD is using snort3. We tried snort2 without any luck. We believe there is one or more snort inspectors dropping the packets or altering them. We wiresharked the connection between the zero client and the connection server (horizon). The TCP handshake works just fine, but we notice that something happens that prevents the conversation from going to TLS. The TCP connection conversation starts over and the process repeats with no connection. If we move the FTD out of the tunnel and connect a zero client directly to the FTD, the zero client connects with no problem. So our testing points at snort. We think a snort inspector is involved somehow. Any best practice or ideas, when using an FTD inside GRE tunnel as an edge IPS device?

5 Replies 5

first you must take look of below link, second you need to config two ACL for GRE tunnel pass through FTD
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212700-configuration-and-operation-of-ftd-prefi.html
hjhjhjhjhjhjh.png

Thank you for responding. I have not had the opportunity to test your suggestion, however, does it matter if our FTD is configured in routed or transparent mode? The first use case appears to be our configuration, except the FTD looks to be in routed mode (L3) (two different networks connected vs ours in transparent mode (L2) with inline set). Thanks again, and I will definitely let you and the community know the outcome.

Thanks again. We cannot get this to work. Due to time and money, we have decided to simply remove the FTD from the GRE tunnel. This works and we are still on the edge with outbound traffic from the FTD to a new switch that forms a new GRE tunnel. Thanks again.

https://www.youtube.com/watch?v=EFdgl1dJFHY
this video help you if you decide in feature to make GRE bypass FTD

In this video, we will learn how FTD treats with GRE tunnel-like traffic.the video has 6 sections, fist part is basic of prefilter policy, and also we have 5 scenarios. In our scenarios we will learn how GRE traffic can get "FASTPATH", "BLOCK" or "ANALYZED"also, we have a good scenario to practice

Yes. Good video. Thanks again for your help. Truly appreciate it.

Review Cisco Networking for a $25 gift card