12-18-2018 04:21 AM - edited 02-21-2020 09:31 PM
Dear team,
I'm currently with an unusual scenario and could get some assistance in order to make it work.
I have two VPN tunnels with two different partners and, due to business, they are not allowed to establish the tunnel between them directly. With that being said, I'm in the middle of the path to receive traffic from one Site-to-Site IPSec VPN tunnel and forward it to the secondary.
The behavior I'm experiencing is a drop (the traffic is not even attempting to trigger the SA for the secondary tunnel).
Just as a base information:
I do have connectivity in both tunnels (I'm able to receive the traffic from the first tunnel, although it is dropping) and able to send a telnet traffic from some random server I've setup just to test connectivity for the second tunnel. Just not able to receive from the first tunnel and send it to the second.
Also another important info:
Both VPN tunnels are reaching my network in the same interface/zone, so (as previous research) hairpinning is allowed by default on FTD devices.
The access rule is allowing the original source and the original destination (as should). I've also attempted to allow the NAT IPs in the ACL but the behavior is exactly the same.
I'm attaching a drawing for better understanding of the scenario.
Thanks,
Caio
Solved! Go to Solution.
12-21-2018 12:21 PM
Thank you for the tip. Unfortunatelly icmp isnt allowed, so that specific packet tracer wont work.
I got it fixed.
On the PAT, I had to remove the zone from the destination (leave to any) and in the filter ACL the same.
That's why the packet was being dropped.
Since I'm performing twice NAT with the original destination being just a NAT IP the firewall didn't consider the exitting interface as inet (yet) and therefore did not found an ACL match. As soon as I've removed the destination zone, the ACL matched and the traffic passed through.
12-18-2018 04:51 AM
On the FTD, create 1 hub and spoke topology and configure the option "Enable Spoke to Spoke Connectivity through Hub" under the Advanced Tunnel options.
HTH
12-18-2018 05:43 AM
That was a quite obvious answer and I didn't really thought about it.
But it still bring me questions:
On one end of the tunnel (far east side) I have other traffic flows currently working on which I'm not on a hub-and-spoke scenario (Point-to-point). How should I maintain these two scenarios in parallel?
Thanks,
12-18-2018 05:52 AM
12-19-2018 03:08 AM
I've recreated on my backup site the scenario but unfortunately the behavior is exactly the same:
the traffic is being dropped.
Any other thoughts of what might be causing this issue?
12-19-2018 07:25 PM
12-21-2018 12:21 PM
Thank you for the tip. Unfortunatelly icmp isnt allowed, so that specific packet tracer wont work.
I got it fixed.
On the PAT, I had to remove the zone from the destination (leave to any) and in the filter ACL the same.
That's why the packet was being dropped.
Since I'm performing twice NAT with the original destination being just a NAT IP the firewall didn't consider the exitting interface as inet (yet) and therefore did not found an ACL match. As soon as I've removed the destination zone, the ACL matched and the traffic passed through.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide