ā07-26-2023 09:44 AM - edited ā07-26-2023 10:02 AM
Hi. I have a virtual Firepower Management Center and an FTD-1010 on which I've configured a site-to-site VPN for SIP traffic.
The tunnel is up and I have a NAT rule configured but, when I perform a packet trace, I'm getting the error:
Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched
I have the NAT rules below configured:
Source - 10.107.3.4
Destination - 172.26.200.5
NAT Rule 1
NAT Rules before, Manual NAT Rule, Static
Source Interface: Inside
Destination Interface: Outside
Translation
Original Source: 10.107.3.4
Original Destination: 172.26.200.5
Translated Source: 10.107.3.4
Translated Destination: 172.26.200.5
NAT Rule 2
NAT Rules after, Manual NAT Rule, Dynamic
Source Interface: Inside
Destination Interface: Outside
Translation
Original Source: any
Original Destination:
Translated Source: Destination Interface IP
Translated Destination:
ā07-26-2023 09:53 AM
10.107.3.4
107 not 100 so this NAT is not exception NAT and I think it make traffic drop
ā07-26-2023 10:00 AM
That was a typo, I corrected it.
ā07-26-2023 10:03 AM - edited ā07-26-2023 10:03 AM
Can i see packet tracer of this traffic
Also you test icmp are you enable icmp inspection
ā07-26-2023 10:03 AM - edited ā07-26-2023 10:04 AM
Hi @willb1
Sounds like asymmetric traffic. How your topology looks like?
ā07-26-2023 10:45 AM
Thank you all for the responses. I was initially running the packet trace for 10.107.3.4 > 172.26.200.5 but, when I switched it around to 172.26.200.5 > 10.107.3.4 I could see that there was a Snort rule blocking the traffic. I added a prefilter rule to FastPath the traffic and that resolved the problem.
Thanks again!
ā07-26-2023 10:48 AM
You are so welcome friend
Have a nice summer
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide