Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
6
Replies

FMC RA-VPN Unable to Ping Inside to RA-VPM Client

Go to solution
Garrd
Level 1
Level 1

‎09-21-2022 09:08 AM

We have a remote access VPN configured with VPN client able to access all inside network resources.

This is configured as a split tunnel, No NAT on Inside to Outside for the Inside network to RA VPN address pool. Access control policy applied Outside to Inside for RA VPN Pool to Inside network.

The remote VPN client can access all resources on the inside network by IP address and has full DNS resolution, also has access to the internet.

I'm trying to ping from a server on the inside network to the VPN remote client which fails. This is a server that the remote VPN client can ping by name and IP address.

The firewall on the remote VPN client is disabled at this time,

I'm not seeing what I've missed which causing the inside to remote VPN ping to fail. Any pointers would be much appreciated.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Garrd

‎09-21-2022 09:40 AM

@Garrd correct, rule #2, the NAT exemption rule (between inside network and the RAVPN network) needs to be above the other rule, otherwise traffic from the inside network to the RAVPN is being unintentially translated behind the interface.

The dynamic rule should be an Auto NAT rule and the static NAT exemption rule should be a Manual NAT rule.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎09-21-2022 09:14 AM - edited ‎09-21-2022 09:15 AM

@Garrd you say "Access control policy applied Outside to Inside for RA VPN Pool to Inside network." and you say "I'm trying to ping from a server on the inside network to the VPN remote client which fails."

So do you have a Access Control rule from inside to outside to permit the traffic from the server to the VPN client?

If you do, then please run packet-tracer from the CLI of the FTD to simulate the traffic flow and provide the output for review.

0 Helpful

Go to solution
Garrd
Level 1
Level 1
In response to Rob Ingram

‎09-21-2022 09:25 AM

Hi Rob,

I have an inside-zone to Outside-zone any any rule. I tired an inside-zone to outside-zone, Inside network to VPN network and this shows as conflict to the first rule.

Packet trace below, shows result ALOWED

Interface: Ethernet1/2
VLAN ID:
Protocol: TCP
Source Type: IPv4
Source IP value: 192.168.245.2
Source Port: echo
Source SPI:
Destination Type: IPv4
Destination IP value: 192.168.244.8
Destination port: echo
Inline Tag:
Treat simulated packet as IPsec/SSL VPN decrypt: false
Bypass all security checks for simulated packet: false
Allow simulated packet to transmit from device: true
Select Device: B-FTD-HQ-01
Run trace on all cluster members: false

Device details
Name: B-FTD-HQ-01
ID: 062d3d52-073d-11ed-b00a-fe7546cbef1e
Type: Device

Phase 1
ID: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information: Destination is locally connected. No ECMP load balancing.Found next-hop 192.168.244.8 using egress ifc outside(vrfid:0)
Elapsed Time: 32256 ns

Phase 2
ID: 2
Type: OBJECT_GROUP_SEARCH
Result: ALLOW
Config:
Additional Information: Source Object Group Match Count: 0 Destination Object Group Match Count: 0 Object Group Search: 0
Elapsed Time: 0 ns

Phase 3
ID: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced permit ip ifc inside any ifc outside any rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: ACCESS POLICY: Default BLOCK ALL - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268435460: L7 RULE: Outbound Allow
Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x1528ab6c2b10, priority=12, domain=permit, deny=false hits=14943, user_data=0x15289610b000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=inside(vrfid:0) dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=outside(vrfid:0),, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 102 ns

Phase 4
ID: 4
Type: CONN-SETTINGS
Result: ALLOW
Config: class-map class-default match anypolicy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAPservice-policy global_policy global
Additional Information: Forward Flow based lookup yields rule: in id=0x1528a929e610, priority=7, domain=conn-set, deny=false hits=68530, user_data=0x1528a9d39d70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=inside(vrfid:0), output_ifc=any
Elapsed Time: 102 ns

Phase 5
ID: 5
Type: NAT
Result: ALLOW
Config: nat (inside,outside) source dynamic B-HQ-Network interface
Additional Information: Dynamic translate 192.168.245.2/7 to 217.38.158.94/63387 Forward Flow based lookup yields rule: in id=0x1528ab900200, priority=6, domain=nat, deny=false hits=15259, user_data=0x1528ab6fb1f0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.245.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)
Elapsed Time: 102 ns

Phase 6
ID: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1528a6cd4c10, priority=0, domain=nat-per-session, deny=false hits=1564145, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 102 ns

Phase 7
ID: 7
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1528a9a36b20, priority=0, domain=inspect-ip-options, deny=true hits=454902, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=inside(vrfid:0), output_ifc=any
Elapsed Time: 102 ns

Phase 8
ID: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1528ab6adaa0, priority=20, domain=lu, deny=false hits=44799, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=inside(vrfid:0), output_ifc=any
Elapsed Time: 23552 ns

Phase 9
ID: 9
Type: WEBVPN-SVC
Subtype: out
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: out id=0x1528ac5c3560, priority=71, domain=svc-ob-tunnel-flow, deny=false hits=7630, user_data=0x4e0000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.244.8, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any(vrfid:65535), output_ifc=outside
Elapsed Time: 8704 ns

Phase 10
ID: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config: nat (inside,outside) source dynamic B-HQ-Network interface
Additional Information: Forward Flow based lookup yields rule: out id=0x1528ab7e0360, priority=6, domain=nat-reverse, deny=false hits=2389, user_data=0x1528ab7c98b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.245.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)
Elapsed Time: 2560 ns

Phase 11
ID: 11
Type: WEBVPN-SVC
Subtype: in
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1528a866a820, priority=71, domain=svc-ib-tunnel-flow, deny=false hits=8607, user_data=0x4e0000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.244.8, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=outside(vrfid:0), output_ifc=any
Elapsed Time: 30720 ns

Phase 12
ID: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1528a6cd4c10, priority=0, domain=nat-per-session, deny=false hits=1564147, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 1024 ns

Phase 13
ID: 13
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1528a8f90af0, priority=0, domain=inspect-ip-options, deny=true hits=7989589, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=outside(vrfid:0), output_ifc=any
Elapsed Time: 512 ns

Phase 14
ID: 14
Type: FLOW-CREATION
Result: ALLOW
Config:
Additional Information: New flow created with id 8775910, packet dispatched to next moduleModule information for forward flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_snortsnp_fp_translatesnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_svc_ob_tunnel_flowsnp_fp_fragmentsnp_ifc_statModule information for reverse flow ...snp_fp_inspect_ip_optionssnp_fp_svc_ib_tunnel_flowsnp_fp_tcp_normalizersnp_fp_translatesnp_fp_snortsnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_ifc_stat
Elapsed Time: 15360 ns

Phase 15
ID: 15
Type: EXTERNAL-INSPECT
Result: ALLOW
Config:
Additional Information: Application: 'SNORT Inspect'
Elapsed Time: 37888 ns

Phase 16
ID: 16
Type: SNORT
Subtype: appid
Result: ALLOW
Config:
Additional Information: service: (0), client: (0), payload: (0), misc: (0)
Elapsed Time: 16818 ns

Phase 17
ID: 17
Type: SNORT
Subtype: firewall
Result: ALLOW
Config: Network 0, Inspection 0, Detection 0, Rule ID 268435460
Additional Information: Starting rule matching, zone 1 -> 2, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xffMatched rule ids 268435460 - Allow
Elapsed Time: 52078 ns

Phase 18
ID: 18
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information: Found next-hop 217.38.158.89 using egress ifc outside(vrfid:0)
Elapsed Time: 6656 ns

Phase 19
ID: 19
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information: Found adjacency entry for Next-hop PUBLIC IP ADDRESS on interface outsideAdjacency :ActiveMAC address 0077.8d48.2d01 hits 156481 reference 63
Elapsed Time: 3072 ns

Result
Input Interface: inside(vrfid:0)
Input Status: up
Input Line Status: up
Output Interface: outside(vrfid:0)
Output Status: up
Output Line Status: up
Action: allow
Time Taken: 231710 ns

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Garrd

‎09-21-2022 09:30 AM

@Garrd are you sure your NAT exemption rules between the inside networks and the RAVPN network is setup correctly? Traffic is matching the following NAT rule - translating behind the interface, rather than routing untranslated.

Phase 5
ID: 5
Type: NAT
Result: ALLOW
Config: nat (inside,outside) source dynamic B-HQ-Network interface

0 Helpful

Go to solution
Garrd
Level 1
Level 1
In response to Rob Ingram

‎09-21-2022 09:37 AM

I had not spotted that, NAT rules are

Nat Rules Before

  1. Dynamic Inside-Zone to Outside-Zone Original Source: B-HQ-Network to Translated Source: Interface
  2. Static Inside-Zone to Outside-Zone Original Source: B-HQ-Network Original Destination B=RA=VPN Translated Source B-HQ-Network Translated Destination: B-RA-VPN

Do I need to promote the the VPN rule 2 above the dynamic? 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Garrd

‎09-21-2022 09:40 AM

@Garrd correct, rule #2, the NAT exemption rule (between inside network and the RAVPN network) needs to be above the other rule, otherwise traffic from the inside network to the RAVPN is being unintentially translated behind the interface.

The dynamic rule should be an Auto NAT rule and the static NAT exemption rule should be a Manual NAT rule.

0 Helpful

Go to solution
Garrd
Level 1
Level 1
In response to Rob Ingram

‎09-21-2022 09:45 AM

Thanks Rob, long day and needed someone to bounce this off of.

I will get the change made but completely see this as the solution.

Many thanks

0 Helpful
Customers Also Viewed These Support Documents