Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
639
Views
0
Helpful
1
Replies

Can ping inside network from VPN but cannot ping inside VPN from network - AWS site-to-site VPN

Go to solution
ea_msk
Level 1
Level 1

‎06-17-2021 06:19 AM - edited ‎06-17-2021 06:30 AM

Using our FirePower 1120 we have setup a site-to-site VPN with Amazon. The server inside Amazon subnet 150.10.0.0/16 can ping a server in our intranet in subnet 140.11.0.0/16, but from our intranet we cannot ping back a server in Amazon.

 

The site-to-site VPN is configured to NAT exempt the inside interface.

There are firewall rules to allow connection from Amazon-Intranet and Intranet-Amazon.

The Amazon server is in principle allowed to accept all UDP/TCP packages.

Our inside interface only has one network.

 

 

> packet-tracer input INSIDE icmp 140.11.224.247 8 0 150.10.1.75

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 4.10.115.112 using egress ifc  outside(vrfid:0)

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 destination static |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside(vrfid:0)
Untranslate 150.10.1.75/0 to 150.10.1.75/0

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435478 ifc inside object intranet-ipv4 ifc outside object aws-eu-frankfurt-1a rule-id 268435478 
access-list NGFW_ONBOX_ACL remark rule-id 268435478: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435478: L5 RULE: Intranet_Out_Aws
object-group service |acSvcg-268435478
 service-object ip 
Additional Information:

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 destination static |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 no-proxy-arp route-lookup
Additional Information:
Static translate 140.11.224.247/0 to 140.11.224.247/0

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 destination static |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 no-proxy-arp route-lookup
Additional Information:

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 4122248, packet dispatched to next module

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
> packet-tracer input outside icmp 150.10.1.75 8 0 140.11.0.33

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 140.11.0.33 using egress ifc  inside(vrfid:0)

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 destination static |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate 140.11.0.33/0 to 140.11.0.33/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435479 ifc outside object aws-eu-frankfurt-1a ifc inside object intranet-ipv4 rule-id 268435479 
access-list NGFW_ONBOX_ACL remark rule-id 268435479: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435479: L5 RULE: Aws_In_Intranet
object-group service |acSvcg-268435479
 service-object ip 
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 destination static |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 no-proxy-arp route-lookup
Additional Information:
Static translate 150.10.1.75/0 to 150.10.1.75/0

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclSrcNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 destination static |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 |s2sAclDestNwgV4|8dedd508-cf4c-11eb-a3c4-f761ebcb1bd6 no-proxy-arp route-lookup
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected, Drop-location: frame 0x000055e812a3c45c flow (NA)/NA

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ea_msk
Level 1
Level 1

‎06-18-2021 12:32 AM

Well, it didn't make much sense that packages were flowing from one side of the network to the other and not the other way around. The problem was that the AWS machine's firewall was incorrectly configured and was rejecting ICMP packages from our end of the network. As soon as that was fixed, the problem was solved.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
ea_msk
Level 1
Level 1

‎06-18-2021 12:32 AM

Well, it didn't make much sense that packages were flowing from one side of the network to the other and not the other way around. The problem was that the AWS machine's firewall was incorrectly configured and was rejecting ICMP packages from our end of the network. As soon as that was fixed, the problem was solved.

0 Helpful
Customers Also Viewed These Support Documents