08-31-2022 07:12 AM - edited 08-31-2022 07:43 AM
We have an FPR 2110 (running version 7.0.1) managed by an FMC 1600, configured as:
Transparent mode; Inline set for the inside and outside port. The GRE tunnel terminates on two L3 cisco switches, so we are not trying to terminate a GRE tunnel from a FTD device (we know you can't do this). We choose the transparent inline because it allowed for an easier connection without adding additonal networks or network addressing rework.
The FTD is on our edge. This is a private company network isolated from the internet (by design). We use EIGRP routing over GRE tunnels. Our zero clients in our LAN cannot connect with the remote horizon server. When we fastpath the GRE tunnel traffic, everything works. However, this defeats the purpose of an edge IPS device. Also, our FTD is using snort3. We tried snort2 without any luck. We believe there is one or more snort inspectors dropping the packets or altering them. We wiresharked the connection between the zero client and the connection server (horizon). The TCP handshake works just fine, but we notice that something happens that prevents the conversation from going to TLS. The TCP connection conversation starts over and the process repeats with no connection. If we move the FTD out of the tunnel and connect a zero client directly to the FTD, the zero client connects with no problem. So our testing points at snort. We think a snort inspector is involved somehow. Any best practice or ideas, when using an FTD inside GRE tunnel as an edge IPS device?
08-31-2022 08:16 AM
first you must take look of below link, second you need to config two ACL for GRE tunnel pass through FTD
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212700-configuration-and-operation-of-ftd-prefi.html
09-01-2022 09:55 AM - edited 09-01-2022 09:55 AM
Thank you for responding. I have not had the opportunity to test your suggestion, however, does it matter if our FTD is configured in routed or transparent mode? The first use case appears to be our configuration, except the FTD looks to be in routed mode (L3) (two different networks connected vs ours in transparent mode (L2) with inline set). Thanks again, and I will definitely let you and the community know the outcome.
09-07-2022 11:50 AM
Thanks again. We cannot get this to work. Due to time and money, we have decided to simply remove the FTD from the GRE tunnel. This works and we are still on the edge with outbound traffic from the FTD to a new switch that forms a new GRE tunnel. Thanks again.
09-07-2022 12:14 PM
https://www.youtube.com/watch?v=EFdgl1dJFHY
this video help you if you decide in feature to make GRE bypass FTD
09-07-2022 01:26 PM
Yes. Good video. Thanks again for your help. Truly appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide