cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
642
Views
0
Helpful
7
Replies

IPSEC into Firepower and Cisco ASA (no found)

pablo.beraldi
Level 1
Level 1

I am trying to make an IPSEC between a Cisco Firepower Management Center 1000 FW and a Cisco ASA 5508 but I am not being able to make them see each other. I don't see logs anywhere of IKE attempts on any version. I tried in V1 and V2, with all the policy and prophosal but nothing. On the other hand, if I grab a Fortinet and do an IPSEC against the FIREPOWER, if the events arrive and raise and the same from the Fortinet to the ASA. I put rules from any zone to any zone with any network and nothing. I don't have CLI access from the Firepower but from the handle I do, and I used the debug crypoto ikev1 200, debug crypo iksam 200, debug crypo ikeve platform, etc. and I don't see events from the public IP of the Firepower. Any ideas? thanks

7 Replies 7

need to active the IPSec tunnel by pass some traffic hit the ACL of IPSec.

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.17.3.47 using egress ifc IPlan

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip object-group FMC_INLINE_src_rule_268438637 object-group FMC_INLINE_dst_rule_268438637 rule-id 268438637
access-list CSM_FW_ACL_ remark rule-id 268438637: ACCESS POLICY: SONDA Argentina - Alsina - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268438637: L7 RULE: IPSEC_SONDA (2)
object-group network FMC_INLINE_src_rule_268438637
description: Auto Generated by FMC from src of UnifiedNGFWRule# 21 (SONDA Argentina - Alsina/mandatory)
network-object object Test_Zabbix
network-object object Test_IPSEC
object-group network FMC_INLINE_dst_rule_268438637
description: Auto Generated by FMC from dst of UnifiedNGFWRule# 21 (SONDA Argentina - Alsina/mandatory)
network-object object Test_Zabbix
network-object object Test_IPSEC
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: IPlan
input-status: up
input-line-status: up
output-interface: IPlan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

To test ipsec vpn, you need to do packet tracer twice not one time.

Do it twice and share output 

pablo.beraldi
Level 1
Level 1

I tried to generate traffic but nothing. The strange thing is that on the FP side it never generates IPSEC traffic, is it necessary to activate something within the Interface? I also generated a nat for phase 2 since I saw in a video that they did it. In addition to rules, I made an extended ACL that allows phase 2 traffic. But I don't see anything doing a capture on the Firepower side, it's very weird. I am doing the ipsec from a new Wan interface from a new provider. Thank you

no capture but the ping is success ?

In your packet tracer there is no crytp map and no NAT rules showing up. so i guess your configuration is not consistant. Here and Here Here 

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: