IPSEC into Firepower and Cisco ASA (no found)

pablo.beraldi · ‎06-18-2022

I am trying to make an IPSEC between a Cisco Firepower Management Center 1000 FW and a Cisco ASA 5508 but I am not being able to make them see each other. I don't see logs anywhere of IKE attempts on any version. I tried in V1 and V2, with all the policy and prophosal but nothing. On the other hand, if I grab a Fortinet and do an IPSEC against the FIREPOWER, if the events arrive and raise and the same from the Fortinet to the ASA. I put rules from any zone to any zone with any network and nothing. I don't have CLI access from the Firepower but from the handle I do, and I used the debug crypoto ikev1 200, debug crypo iksam 200, debug crypo ikeve platform, etc. and I don't see events from the public IP of the Firepower. Any ideas? thanks

MHM Cisco World · ‎06-18-2022

need to active the IPSec tunnel by pass some traffic hit the ACL of IPSec.

pablo.beraldi · ‎06-18-2022

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.17.3.47 using egress ifc IPlan

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip object-group FMC_INLINE_src_rule_268438637 object-group FMC_INLINE_dst_rule_268438637 rule-id 268438637
access-list CSM_FW_ACL_ remark rule-id 268438637: ACCESS POLICY: SONDA Argentina - Alsina - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268438637: L7 RULE: IPSEC_SONDA (2)
object-group network FMC_INLINE_src_rule_268438637
description: Auto Generated by FMC from src of UnifiedNGFWRule# 21 (SONDA Argentina - Alsina/mandatory)
network-object object Test_Zabbix
network-object object Test_IPSEC
object-group network FMC_INLINE_dst_rule_268438637
description: Auto Generated by FMC from dst of UnifiedNGFWRule# 21 (SONDA Argentina - Alsina/mandatory)
network-object object Test_Zabbix
network-object object Test_IPSEC
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: IPlan
input-status: up
input-line-status: up
output-interface: IPlan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

pablo.beraldi · ‎06-18-2022

Warning

IKEv2 was unsuccessful at setting up a tunnel. Map Tag = CSM_IPlan_map. Map Sequence Number = 1.

MHM Cisco World · ‎06-18-2022

To test ipsec vpn, you need to do packet tracer twice not one time.

Do it twice and share output

pablo.beraldi · ‎06-18-2022

I tried to generate traffic but nothing. The strange thing is that on the FP side it never generates IPSEC traffic, is it necessary to activate something within the Interface? I also generated a nat for phase 2 since I saw in a video that they did it. In addition to rules, I made an extended ACL that allows phase 2 traffic. But I don't see anything doing a capture on the Firepower side, it's very weird. I am doing the ipsec from a new Wan interface from a new provider. Thank you

MHM Cisco World · ‎06-18-2022

no capture but the ping is success ?

Sheraz.Salim · ‎06-19-2022

In your packet tracer there is no crytp map and no NAT rules showing up. so i guess your configuration is not consistant. Here and Here Here

please do not forget to rate.