Re: Cisco Firepower 1010 Threat Defense icmp vpn communication problem - Page 2

oelagy · ‎04-20-2023

Hello,

I have a problem with VPN communication from another end, they do not reach my local network in any way, I can reach the remote network at the other end. the VPN is up, can someone give me a hand.

thank you very much

oelagy · ‎04-20-2023

If correct, I have tried it again, if the same as before the other end does not reach my local network, instead I correctly reach your local network

I attach the packet-trace

Rob Ingram · ‎04-20-2023

@oelagy reverse the packet-tracer flow from outside to inside.

packet-tracer input outside icmp 10.77.158.95 8 0 172.31.1.27 detailed

I assume10.77.158.95 is a network from one of the objects defined in your Access Control rules?

oelagy · ‎04-20-2023

Yes correct 10.77.158.95 I have it created in one of the objects

Rob Ingram · ‎04-20-2023

@oelagy ok, so packet-tracer says that should be allowed.

Is real traffic being recieved on your FTD? If not then investigate a problem on the remote end

If you run "show crypto ipsec sa" is the counters for decaps increasing?

Does the local device on your end have a local firewall that could be blocking the connection from the remote end?

oelagy · ‎04-20-2023

#pkts encaps: 45473, #pkts encrypt: 45473, #pkts digest: 45473
#pkts decaps: 54269, #pkts decrypt: 54269, #pkts verify: 54269
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 45473, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

l

oelagy · ‎04-20-2023

#pkts encaps: 46693, #pkts encrypt: 46693, #pkts digest: 46693
#pkts decaps: 55665, #pkts decrypt: 55665, #pkts verify: 55665
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 46693, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

oelagy · ‎04-20-2023

MHM Cisco World · ‎04-20-2023

I see your early post you already config it ACL for INbound

oelagy · ‎04-20-2023

yes, but it continues the same we do not receive ping or communication

MHM Cisco World · ‎04-20-2023

share the last NAT config

oelagy · ‎04-20-2023

MHM Cisco World · ‎04-20-2023

> packet-tracer input inside_2 tcp 172.31.1.20 1234 10.77.158.90 80 detailed

NOTE:-

please confimr that 172.31.1.0/x is your local LAN and 10.77.158.0/x is your Remote LAN ? If you confirm that run the packet tracer above and share result

oelagy · ‎04-20-2023

10.77.158.0/x Nat local lan
172.31.1.0/x LAN Remote

oelagy · ‎04-20-2023

MHM Cisco World · ‎04-20-2023

Now it clear there is UN-NAT and the traffic is encrypt correctly
now try ping not from FPR but from any host behind FRP to remote LAN