Re: Cisco Firepower 1010 Threat Defense icmp vpn communication problem

oelagy · ‎04-20-2023

Hello,

I have a problem with VPN communication from another end, they do not reach my local network in any way, I can reach the remote network at the other end. the VPN is up, can someone give me a hand.

thank you very much

Rob Ingram · ‎04-20-2023

@oelagy do you have the correct Access Control rules to allow the remote network to communicate with your network? Provide screenshots of your configuration.

Run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.

I assume you already have NAT exemption rules in place to ensure the traffic is not unintentially translated.

oelagy · ‎04-20-2023

Hello,

It happens to me with all the vpn that I have created: Attached capture of the ACLs:

I am performing NAT

172.31.1.27 remote ip

192.100.9.95 local net

10.77.158.95 local net Nat

I attach the capture of nat

Thank you

Rob Ingram · ‎04-20-2023

@oelagy the problem appears to be NAT, traffic is matching the dynamic NAT rule and being translated behind the FTD's outside interface.

Your NAT rules #1 and #2 should be disabled/deleted and recreated as Auto NAT rules.

I assume NAT rules #3 and #4 are correct.

Once the new Auto NAT rules (natting used for internet access) are created they will be processed after the Manual NAT rules, so VPN traffic would match the Manual NAT rules and not translated. All other traffic not matching the Manual NAT rules would subsequently match the Auto NAT rules.

oelagy · ‎04-20-2023

Hi,

I have disabled rule no. 1 and no. 2, on the other hand the rules that I have created by nate work correctly, from my network to the other end I reach all the hosts correctly

nat (inside_2,outside) source static |s2sAclSrcNwgV4|69b97ff6-cecf-11ed-8541-e3fc0f181972 |s2sAclSrcNwgV4|69b97ff6-cecf-11ed-8541-e3fc0f181972 destination static |s2sAclDestNwgV4|69b97ff6-cecf-11ed-8541-e3fc0f181972 |s2sAclDestNwgV4|69b97ff6-cecf-11ed-8541-e3fc0f181972 no-proxy-arp route-lookup
nat (inside_2,outside) source static |s2sAclSrcNwgV4|481533f2-cf91-11ed-8541-4bca6c5a3746 |s2sAclSrcNwgV4|481533f2-cf91-11ed-8541-4bca6c5a3746 destination static |s2sAclDestNwgV4|481533f2-cf91-11ed-8541-4bca6c5a3746 |s2sAclDestNwgV4|481533f2-cf91-11ed-8541-4bca6c5a3746 no-proxy-arp route-lookup
nat (inside_2,outside) source static |s2sAclSrcNwgV4|c8e6567b-d37b-11ed-8541-017d7fee41c6 |s2sAclSrcNwgV4|c8e6567b-d37b-11ed-8541-017d7fee41c6 destination static |s2sAclDestNwgV4|c8e6567b-d37b-11ed-8541-017d7fee41c6 |s2sAclDestNwgV4|c8e6567b-d37b-11ed-8541-017d7fee41c6 no-proxy-arp route-lookup
nat (inside_4,outside) source dynamic any-ipv4 interface inactive
nat (inside_3,outside) source dynamic any-ipv4 interface inactive
nat (inside_2,outside) source static local_net local_net_nat_telrad destination static remote_net_telrad remote_net_telrad
nat (inside_2,outside) source static local_net local_net_nat_ingesa destination static remote_net_ingesa remote_net_ingesa
!
object network any-ipv4
nat (inside_2,outside) dynamic interface

When you mean to create a new rule, do I have to create it for Inside2 ?

Thank you

MHM Cisco World · ‎04-20-2023

below is need after inactive the NAT dynamic

object network any-ipv4
nat (inside_3,outside) dynamic interface

object network any-ipv4
nat (inside_4,outside) dynamic interface

Rob Ingram · ‎04-20-2023

@oelagy this is an example of a NAT Exemption rule, which is a Manual NAT rule, this ensures VPN traffic is not translated. This NAT rule is above the Auto NAT rule, which is used for internet access.

You need to create these rules to match your environment, for as many interfaces as you have.

oelagy · ‎04-20-2023

I have created this rule, attached capture

Rob Ingram · ‎04-20-2023

@oelagy ok, that looks like it should work for networks behind interface inside_2, did you test this?

You'd need to replicate the rules for the other inside interfaces (if required).

oelagy · ‎04-20-2023

Probamos y no funciona, no se me eestoy explicando yo puedo acceder a todas los host que tengo en otros extremos del tunel , pero desde otro extremo no pueden acceder, ni tienen comunicacion .

he probado montando otro equipo igual de la misma carcateristicas Firepower1010 y en este caso ni puedo enviar ping ni tampoco recibo en ambos exteremos

MHM Cisco World · ‎04-20-2023

I see your early post you already config it ACL for INbound

oelagy · ‎04-20-2023

yes correct for dynamic NAT I have configured inside_2

object network any-ipv4
nat (inside_2,outside) dynamic interface

interface Ethernet1/2
nameif inside_2
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.100.9.1 255.255.255.0

MHM Cisco World · ‎04-20-2023

again check this POINT please
you have thee IN interface
INside_2
INside_3
INside_4

the INside_2 have VPN so it need two NAT (static& dynamic) if you want host also to reach internet

INside_3/INside_4 need dynamic NAT only since it dont have VPN

oelagy · ‎04-20-2023

I correctly reach another host that is at the other end of the tunnel, the problem is that the other end does not communicate with my network in any way.
the VPN is up and working correctly

Rob Ingram · ‎04-20-2023

@oelagy have you tried again since changing the NAT rules? Because in your packet-tracer output we can determine it was unintentially translated behind the outside interface.

object network any-ipv4
nat (inside_2,outside) dynamic interface