Cisco FTD S2S tunnel issue with NAT

NetworkPitu · ‎04-03-2024

Hello,

so with customer we have created S2S tunnel to have access some lab environment. They asked us to create NAT and this NAT they will allow through tunnel. So I created NAT from our Anyconnect VPN addresses. Lets say IP is 10.10.0.0/17 of our anyconnect vpn. I created NAT from this IPs to NAT IP 172.10.10.0/29 and this NAT IP I allowed in tunnel. But the issue is. When I am doing ping to one of lab address on customer side I have only encapsulation but 0 decapsulation and same thing from lab env to our anyconnect VPN address. But when I set NAT to unidirectional ping from lab to anyconnect vpn IP is going and I can see decapsulation but still from anyconnect to lab env is not. We have Cisco FTD 1140 and customer have some Cisco C8300 and another Cisco SDWAN

Working:
lab IP -> sdwan -> customer DC (cisco C8300) -> our FTD.

Not working:
Anyconnect VPN -> Cisco FTD (NAT and to s2s) -> customer DC - sdwan -> lab env.

So to summarize, we have S2S tunnel which is UP and I can bring it to UP by pinging from anyconnect VPN to lab env on customer side. But ping is not comming through cause customer have constantly 0 encapsulation and 0 decapsulation so packets are not coming to them. But when they are pinging from lab env to out anyconnect vpn IP it is comming through, I can see encapsulation and decapsulation and also customer can see it on their side.

So maybe you have some idea about it? I am trying to solve it for like 3 weeks. It is simple connection with NAT but it don't want to work.

Also customer said that if from lab env to our anyconnect vpn I can see encaps and decaps all is fine on their side so it must me some firewall issue. I added ACL rules to allow traffic from NAT addresses to lab env, from anyconnect vpn to lab env and back

MHM Cisco World · ‎04-03-2024

I think it issue of routing

Can you check in FTD it have route for lab or it use defualt route ?

MHM

NetworkPitu · ‎04-03-2024

I also thought that in first place. I checked Packet Tracer on FMC from anyconnect vpn address to lab env on customer site and all is Allow. We have configured default route through this interface. Also when I checked on CLI in FTD "show route" I can see this lab address and interface

NetworkPitu · ‎04-04-2024

I added now group of objects with labs subnets in static routing. We have in FMC under Device Management -> FTD -> Routing -> Static Route we have route about traffic from our tunnel interface (separated internet connection). I added there this group, deployed changes but nothing changed. Since yesterday tunnel went down but when I ping a lab IP tunnel goes UP and I see 3 encapsulations and 0 decapsulations. Same issue

MHM Cisco World · ‎04-04-2024

Can you share vpn subnet

And show route of FTD

MHM

NetworkPitu · ‎04-04-2024

Sure but for security reasons I had to remove IPs and names which could be sensitive.

So we have one route entry with all subnets and IP which have to go through interface which is for tunneling.

VPN subnet is from our site NAT address which customer asked us to translate our Anyconnect addresses and below is customer site with subnet of lab addresses.

It should goes like this:

Anyconnect user -> FTD -> customer Cisco C8300 -> customer SD-WAN -> lab environment.

I added in this route entry object group containe all subnets of lab