05-05-2022 08:14 AM - edited 05-05-2022 08:15 AM
So I am configuring a couple of FTDs in a lab environment. I went through the steps of creating the VPN connection, but I cant get them to establish the tunnel. I will lay out my process below.
My set up is as follows:
2 - FTDs
1 - L3 Switch
2 - PCs
Lab Scenario:
Create a Site-to-Site VPN between the two FTDs and test connectivity over the tunnel.
Process:
I created 4 Vlans on the switch; VLAN 1, 2, 3, 4:
Vlan 1 is 192.168.1.0/24
Vlan 2 is xxx.xxx.2.0/24
Vlan 3 is xxx.xxx.10.0/24
Vlan 4 is xxx.xxx.20.0/24
I turned on routing on the Switch and eveything is locally connected in the routing table
On the FTDs inside FMC:
FTD1 - 192.168.1.1 - outside
FTD1 - xxx.xxx.10.1 - inside
FTD2 - xxx.xxx.2.1 - outside
FTD2 - xxx.xxx.20.1 - inside
Devices -> VPN -> Site-to-Site
- Policy Based
- IKEv2
- Endpoints
- Node A:
- device name - FTD2
- Interface - Outside
- IP - xxx.xxx.2.1
- Connection Type - Bidirectional
- Protected Network - xxx.xxx.20.1
- Node B:
- device name - FTD1
- Interface - Outside
- IP - xxx.xxx.1.1
- Connection Type - Bidirectional
- Protected Network - xxx.xxx.10.1
- IKE - Default
- Manual Pre-Shared Key - PaS$w0rD
- IPsec - Default
- Advanced tab
- Tunnel - Bypass AC (sysopt permit-vpn)
So this is everything the instructions from cisco said do, but the tunnel is not establishing.
05-06-2022 07:41 AM
I dont have that option "route-lookup" in the FTD cli
05-06-2022 07:22 AM - edited 05-06-2022 07:35 AM
It's saying:
> packet-tracer input Inside tcp 192.168.10.1 80 192.168.20.1 80 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14cfac95eda0, priority=1, domain=permit, deny=false
hits=4249, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.20.1 using egress ifc identity(vrfid:0)
Result:
input-interface: Inside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000056372895a7a9 flow (NA)/NA
05-06-2022 07:38 AM
192.168.10.1 this ip is source of your packet tracer is this subnet connect to
Inisde or outside of ftd?
If it connect to inside why you select outside in packet tracer ??
This is why you get destiantion is local.
05-06-2022 08:07 AM
I think I got mixed up pasting my outputs:
This is the output from FTD1 inside to FTD2 inside:
> packet-tracer input Inside tcp 192.168.10.1 80 192.168.20.1 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.20.1 using egress ifc Outside(vrfid:0)
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14cfa9f97db0, priority=501, domain=permit, deny=true
hits=2, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Inside(vrfid:0), output_ifc=any
Result:
input-interface: Inside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000563728951156 flow (NA)/NA
This is the output from FTD1 outside to FTD2 outside:
> packet-tracer input Inside tcp 192.168.1.1 80 192.168.2.1 80 detailed
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.1.2 using egress ifc Outside(vrfid:0)
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268459050
access-list CSM_FW_ACL_ remark rule-id 268459050: ACCESS POLICY: Test VPN FTD Policy - Default
access-list CSM_FW_ACL_ remark rule-id 268459050: L4 RULE: DEFAULT ACTION RULE
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x14cfacb8afc0, priority=12, domain=permit, deny=false
hits=1, user_data=0x14cf9ba0b480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14cfad3038c0, priority=7, domain=conn-set, deny=false
hits=0, user_data=0x14cfad2fd9d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Inside(vrfid:0), output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14cfaab90ca0, priority=0, domain=nat-per-session, deny=false
hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14cfac964b40, priority=0, domain=inspect-ip-options, deny=true
hits=3251, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Inside(vrfid:0), output_ifc=any
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14cfaab90ca0, priority=0, domain=nat-per-session, deny=false
hits=2, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14cfac880660, priority=0, domain=inspect-ip-options, deny=true
hits=197, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Outside(vrfid:0), output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4858, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_tcp_proxy
snp_fp_snort
snp_fp_tcp_proxy
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_tcp_proxy
snp_fp_snort
snp_fp_tcp_proxy
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 9
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 10
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
00:00:00:00:00:00 -> CC:ED:4D:EB:EA:25 0800
192.168.1.1:80 -> 192.168.2.1:80 proto 6 AS=0 ID=1 GR=1-1
Packet 1: TCP ******S*, 05/06-14:45:36.689234, seq 735764188, dsize 0
Session: new snort session
AppID: service: (0), client: (0), payload: (0), misc: (0)
Firewall: allow rule, id 268459050, allow
Policies: Network 0, Inspection 0, Detection 5
Verdict: pass
Snort Verdict: (pass-packet) allow this packet
Phase: 11
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.1.2 using egress ifc Outside(vrfid:0)
Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 192.168.1.2 on interface Outside
Adjacency :Active
MAC address 8480.2db1.8646 hits 0 reference 1
Result:
input-interface: Inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: Outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide