cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1856
Views
5
Helpful
27
Replies

Monitoring Port in VPN Site To Site FTD 1120 Series

Valentin GOULET
Level 1
Level 1

Hello,

Equipment: Firepower FTD1120 - V. 7.2.0-82

Good morning,

I have a functional site-to-site between my client and their provider, but the prints don’t work from the provider-side application to the client-side printers. (Port 9100)

So I’d like to access the logs to see what it blocks, unfortunately I can’t find anything from the FTD interface and the only commands I found are
show crypto ipsec sa
Show crypto ikev2 sa
But they just tell me that the latter is mounted but not what happens inside.

Thank you in advance for your feedback,

Valentin GOULET

27 Replies 27

@Valentin GOULET  have you explictly permit traffic from the provider IP to the client-side printer in the Access Control Policy?

To troubleshoot, you can use packet-tracer from the FTD to simulate the traffic flow which would indicate where the issue is. Example:

packet-tracer input <outside interface> tcp <provider ip> 3000 <clientside printer ip> 9100

Alternatively, from the CLI of the FTD run "system support firewall-engine-debug" filter on the IP address of the provider IP and generate traffic, this should provide some useful information on which rule traffic is matching.

Thank you for your answer.

To make sure I write the correct command line, here is my configuration.

- Internal network: 192.168.1.0/24
- NAT Internal Network (s2s VPN connection): 10.100.29.0/24
- External network (s2s VPN connection): 10.100.30.0/24

I have a machine that is in 10.100.30.1 that must attack the printer in 192.168.1.11 and must go through IP 10.100.29.2.

So the command is:

packet-tracer input outside tcp 10.100.30.1 3000 10.100.29.2 9100

 

And for the second action, I put the following information, but I have no feedback.


Please specify an IP protocol: tcp
Please provide a client IP address: 10.100.30.1
Please specify a client port: 9100
Please specify a server IP address: 10.100.29.2
Please specify a server port: 9100

@Valentin GOULET the source port isn't likely to be tcp/9100, it would be random port.

I generally just filter on the source and destination IP address, that way you can see other traffic that may be sent/received. So repeat but without the client or server ports.

Your ACP rule needs to permit  src: 10.100.30.1 (external network) dst: 192.168.1.11 (internal real IP) dst port: tcp/9100, do you have that? Provide a screenshot of the rules.

What is the exact configuration of your NAT rule, provide a screenshot.

When I make the next command line: 


Please specify an IP protocol: tcp
Please provide a client IP address: 
Please specify a client port: 
Please specify a server IP address: 
Please specify a server port: 

I only have logs of 192.168.1.0/24 and not of 10.100.29.0/24 or 10.100.30.0/24.

And I don’t know if it can have a link but since my network 192.168.1.0/24 the ping to 192.168.1.1 (FTD) no longer works.

Here is the configuration of the FTD, without the confidential information :

 

!
interface Ethernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address (IP PUBLIC CLIENT) 255.255.255.248
!
interface Ethernet1/2
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup outside
dns domain-lookup inside
dns server-group InternalDNS
name-server XX.XX.XX.XX
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
dns server-group cloudflare
name-server 1.1.1.1
name-server 1.0.0.1
dns-group CiscoUmbrellaDNSServerGroup
no object-group-search access-control

object network 10.100.29.2
host 10.100.29.2
object network 10.100.29.1
host 10.100.29.1
object network 192.168.1.217
host 192.168.1.217
object network outside_network
subnet (IP PUBLIC GW) 255.255.255.248
object network |66.102.0.0
subnet 66.102.0.0 255.255.240.0
object network 192.168.1.214_www
host 192.168.1.214
object network 192.168.1.213_5985
host 192.168.1.213
object network 10.100.30.12
host 10.100.30.12
object network 10.100.30.13
host 10.100.30.13
object network 192.168.1.220
host 192.168.1.220
object network 192.168.1.0/24
subnet 192.168.1.0 255.255.255.0
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network IPv4-Private-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0
object network 10.100.30.0/24
subnet 10.100.30.0 255.255.255.0
object network 10.100.29.0
subnet 10.100.29.0 255.255.255.0
object network 10.100.30.14
host 10.100.30.14
object network 192.168.1.12
host 192.168.1.12
object network 192.168.1.219
host 192.168.1.219
object network |64.233.160.0
subnet 64.233.160.0 255.255.224.0
object network 10.100.30.5
host 10.100.30.5
object network 192.168.1.11
host 192.168.1.11
object network 192.168.1.13
host 192.168.1.13
object network |72.14.192.0
subnet 72.14.192.0 255.255.192.0
object network |66.249.80.0
subnet 66.249.80.0 255.255.240.0
object network |109.3.168.210
host 109.3.168.210
object network 10.100.30.11
host 10.100.30.11
object network |216.239.32.0
subnet 216.239.32.0 255.255.224.0
object network 10.100.30.10
host 10.100.30.10
object network 192.168.1.218
host 192.168.1.218
object network |209.85.128.0
subnet 209.85.128.0 255.255.128.0
object network 10.100.30.3
host 10.100.30.3
object network NETWORK_OBJ_10.100.1.0_24
subnet 10.100.1.0 255.255.255.0
object network |173.194.0.0
subnet 173.194.0.0 255.255.0.0
object network |216.58.192.0
subnet 216.58.192.0 255.255.224.0
object network |192.168.1.206
host 192.168.1.206
object network |10.10.1.200
host 10.10.1.200
object network |64.18.0.0
subnet 64.18.0.0 255.255.240.0
object network 10.100.30.1
host 10.100.30.1
object network |10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network |108.177.8.0
subnet 108.177.8.0 255.255.248.0
object network |207.126.144.0
subnet 207.126.144.0 255.255.240.0
object network |74.125.0.0
subnet 74.125.0.0 255.255.0.0
object network 192.168.1.241
host 192.168.1.241
object network OutsideIPV4Gateway
host CC.CC.CC.CC
object network OutsideIPv4DefaultRoute
subnet 0.0.0.0 0.0.0.0
object network 10.100.30.2
host 10.100.30.2
object network 10.100.30.4
host 10.100.30.4
object service _|NatOrigSvc_10d86604-3a82-11ed-80d1-fd48aa2e8dc7
service tcp source eq 5001
object service _|NatMappedSvc_10d86604-3a82-11ed-80d1-fd48aa2e8dc7
service tcp source eq 5001
object service _|NatOrigSvc_82e7ec2a-3a82-11ed-80d1-aba326284087
service tcp source eq 123
object service _|NatMappedSvc_82e7ec2a-3a82-11ed-80d1-aba326284087
service tcp source eq 123
object service _|NatOrigSvc_b31d894d-3a82-11ed-80d1-35c5a3d70307
service tcp source eq 15000
object service _|NatMappedSvc_b31d894d-3a82-11ed-80d1-35c5a3d70307
service tcp source eq 15000
object service _|NatOrigSvc_4eac39b3-3a83-11ed-80d1-bd16003fdf43
service tcp source eq 2195
object service _|NatMappedSvc_4eac39b3-3a83-11ed-80d1-bd16003fdf43
service tcp source eq 2195
object service _|NatOrigSvc_ade1b316-3a83-11ed-80d1-d3413fc7d965
service tcp source eq 2528
object service _|NatMappedSvc_ade1b316-3a83-11ed-80d1-d3413fc7d965
service tcp source eq 2528
object service _|NatOrigSvc_dfa60689-3a83-11ed-80d1-91e4b2d93505
service tcp source eq sip
object service _|NatMappedSvc_dfa60689-3a83-11ed-80d1-91e4b2d93505
service tcp source eq sip
object service _|NatOrigSvc_6b373e3f-3a84-11ed-80d1-7bba5740ef91
service udp source eq sip
object service _|NatMappedSvc_6b373e3f-3a84-11ed-80d1-7bba5740ef91
service udp source eq sip
object service _|NatOrigSvc_8ef728e2-3a84-11ed-80d1-a193711c6402
service tcp source eq 5061
object service _|NatMappedSvc_8ef728e2-3a84-11ed-80d1-a193711c6402
service tcp source eq 5061
object service _|NatOrigSvc_779099ba-3a85-11ed-80d1-1b8abce2a2eb
service udp source eq 5061
object service _|NatMappedSvc_779099ba-3a85-11ed-80d1-1b8abce2a2eb
service udp source eq 5061
object service _|NatOrigSvc_9961facd-3a85-11ed-80d1-6f010a83f882
service udp source eq 5090
object service _|NatMappedSvc_9961facd-3a85-11ed-80d1-6f010a83f882
service udp source eq 5090
object service _|NatOrigSvc_c7f8b502-3a85-11ed-80d1-7bcc900eb1f4
service tcp source eq 5090
object service _|NatMappedSvc_c7f8b502-3a85-11ed-80d1-7bcc900eb1f4
service tcp source eq 5090
object service _|NatOrigSvc_8c41bb08-3a86-11ed-80d1-93759333cdfb
service tcp source eq 587
object service _|NatMappedSvc_8c41bb08-3a86-11ed-80d1-93759333cdfb
service tcp source eq 587
object service _|NatOrigSvc_adfe5b9b-3a86-11ed-80d1-11be5c1eac6f
service tcp source eq https
object service _|NatMappedSvc_adfe5b9b-3a86-11ed-80d1-11be5c1eac6f
service tcp source eq https
object service _|NatOrigSvc_e35301c1-3a86-11ed-80d1-559226e5ebf1
service tcp source eq ssh
object service _|NatMappedSvc_e35301c1-3a86-11ed-80d1-559226e5ebf1
service tcp source eq 2222
object service _|NatOrigSvc_37c22657-3a87-11ed-80d1-a55abf66868e
service udp source range 9000 10999
object service _|NatMappedSvc_37c22657-3a87-11ed-80d1-a55abf66868e
service udp source range 9000 10999
object service _|NatOrigSvc_2d0db856-3b11-11ed-80d1-8f012ad9f098
service tcp source eq 5432
object service _|NatMappedSvc_2d0db856-3b11-11ed-80d1-8f012ad9f098
service tcp source eq 5432
object service _|NatOrigSvc_54b56479-3b11-11ed-80d1-c30833928fe2
service tcp source eq www
object service _|NatMappedSvc_54b56479-3b11-11ed-80d1-c30833928fe2
service tcp source eq www
object service _|NatOrigSvc_a3b193ac-3b11-11ed-80d1-a1d84ec5b38c
service tcp source eq https
object service _|NatMappedSvc_a3b193ac-3b11-11ed-80d1-a1d84ec5b38c
service tcp source eq https
object service _|NatOrigSvc_f155acef-3b11-11ed-80d1-c9cfa56b50f6
service tcp source eq ssh
object service _|NatMappedSvc_f155acef-3b11-11ed-80d1-c9cfa56b50f6
service tcp source eq ssh
object network VPN_DHCP
range 192.168.1.170 192.168.1.190
object service _|NatOrigSvc_ecb78c6e-3b14-11ed-80d1-a948d3635638
service tcp source eq www
object service _|NatMappedSvc_ecb78c6e-3b14-11ed-80d1-a948d3635638
service tcp source eq www
object service _|NatOrigSvc_57d4d034-3b15-11ed-80d1-eb81804368bf
service tcp source eq 5985
object service _|NatMappedSvc_57d4d034-3b15-11ed-80d1-eb81804368bf
service tcp source eq 5985
object network 10.100.29.4
host 10.100.29.4
object network 10.100.29.3
host 10.100.29.3
object network 192.168.1.10
host 192.168.1.10
object service _|NatOrigSvc_656f4407-7aea-11ed-9d66-c9ffbc9e3ac1
service tcp source eq 9100
object service _|NatMappedSvc_656f4407-7aea-11ed-9d66-c9ffbc9e3ac1
service tcp source eq 9100
object network 192.168.1.213
host 192.168.1.213
object network 192.168.1.227
host 192.168.1.227
object service _|NatOrigSvc_7ba41988-3b14-11ed-80d1-b51035986838
service tcp source eq telnet
object service _|NatMappedSvc_7ba41988-3b14-11ed-80d1-b51035986838
service tcp source eq telnet
object service _|NatOrigSvc_7c2bfbd5-7b84-11ed-9d66-9d742308ed5d
service tcp source eq ldap
object service _|NatMappedSvc_7c2bfbd5-7b84-11ed-9d66-9d742308ed5d
service tcp source eq ldap
object service _|NatOrigSvc_e194dc35-3b13-11ed-80d1-5f3985c966a9
service tcp source eq 6331
object service _|NatMappedSvc_e194dc35-3b13-11ed-80d1-5f3985c966a9
service tcp source eq 6331
object service _|NatOrigSvc_884f996e-7c4c-11ed-9d66-512e553611b0
service tcp source eq 1762
object service _|NatMappedSvc_884f996e-7c4c-11ed-9d66-512e553611b0
service tcp source eq 17627
object network 192.168.1.1-192.168.1.254
range 192.168.1.0 192.168.1.254
object network 10.100.29.1-10.100.29.254
range 10.100.29.1 10.100.29.254
object-group network NGFW-Remote-Access-VPN|natIpv4Grp
network-object object 192.168.1.0/24
object-group network copieurs
network-object object 192.168.1.12
network-object object 192.168.1.217
network-object object 192.168.1.218
network-object object 192.168.1.13
network-object object 192.168.1.219
network-object object 192.168.1.220
network-object object 192.168.1.241
object-group network IPv4-Private-All-RFC1918
network-object object IPv4-Private-10.0.0.0-8
network-object object IPv4-Private-172.16.0.0-12
network-object object IPv4-Private-192.168.0.0-16
object-group service |acSvcg-268435458
service-object tcp source eq https destination eq https
object-group service |acSvcg-268435462
service-object tcp source eq 9100 destination eq 9100
object-group network |acDestNwg-268435458
network-object object 10.100.30.12
network-object object 10.100.30.11
network-object object 10.100.30.13
network-object object 10.100.30.14
object-group service |acSvcg-268435459
service-object tcp source eq https destination eq https
object-group network |acDestNwg-268435459
network-object object 10.100.30.3
network-object object 10.100.30.2
network-object object 10.100.30.4
object-group service |acSvcg-268435460
service-object tcp source eq 8443 destination eq 8443
object-group service |acSvcg-268435461
service-object tcp source eq 449 destination eq 449
service-object tcp source eq 449 destination eq 992
service-object tcp source eq 449 destination eq 9470
service-object tcp source eq 449 destination range 9475 9476
service-object tcp source eq 992 destination eq 449
service-object tcp source eq 992 destination eq 992
service-object tcp source eq 992 destination eq 9470
service-object tcp source eq 992 destination range 9475 9476
service-object tcp source eq 9470 destination eq 449
service-object tcp source eq 9470 destination eq 992
service-object tcp source eq 9470 destination eq 9470
service-object tcp source eq 9470 destination range 9475 9476
service-object tcp source range 9475 9476 destination eq 449
service-object tcp source range 9475 9476 destination eq 992
service-object tcp source range 9475 9476 destination eq 9470
service-object tcp source range 9475 9476 destination range 9475 9476
object-group network |acDestNwg-268435461
network-object object 10.100.30.1
network-object object 10.100.30.10
object-group service |acSvcg-268435457
service-object ip
object-group network |acSrcNwg-268435462
network-object object 10.100.30.1
network-object object 10.100.30.10
object-group network |acDestNwg-268435462
network-object object 10.100.29.2
network-object object 10.100.29.4
network-object object 10.100.29.3
object-group service |acSvcg-268435463
service-object ip
object-group service |acSvcg-268435464
service-object ip
object-group service |acSvcg-268435465
service-object tcp destination eq telnet
service-object tcp destination eq smtp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 5985
service-object tcp destination eq 6331
service-object tcp destination eq 17627
service-object tcp destination eq 53389
object-group service |acSvcg-268435471
service-object tcp destination range ssh telnet
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 5985
service-object tcp destination eq 6331
service-object tcp destination eq 17627
object-group network |acDestNwg-268435471
network-object object 192.168.1.213_5985
network-object object 192.168.1.214_www
network-object object 192.168.1.227
object-group service |acSvcg-268435466
service-object tcp source eq 5432 destination eq 5432
object-group service |acSvcg-268435467
service-object tcp source eq ssh destination eq ssh
object-group service |acSvcg-268435468
service-object udp source range 9000 9398 destination range 9000 9398
service-object udp source range 9000 9398 destination range 10600 10998
service-object udp source range 10600 10998 destination range 9000 9398
service-object udp source range 10600 10998 destination range 10600 10998
object-group service |acSvcg-268435470
service-object tcp destination eq ssh
service-object tcp destination eq 123
service-object tcp destination eq https
service-object tcp destination eq 587
service-object tcp destination eq 2195
service-object tcp destination eq 5001
service-object tcp destination eq 5090
service-object tcp destination eq 15000
service-object udp destination range sip 5061
service-object udp destination eq 5090
service-object udp destination range 9000 10999
object-group network |s2sAclSrcNwgV4|b12a2624-3a44-11ed-80d1-431b69dad281
network-object object 10.100.29.0
object-group network |s2sAclDestNwgV4|b12a2624-3a44-11ed-80d1-431b69dad281
network-object object 10.100.30.0/24
object-group service |acSvcg-268435469
service-object ip
object-group service |acSvcg-268435473
service-object tcp destination eq ldap
object-group service |acSvcg-268435472
service-object ip
object-group network NGFW-Remote-Access-VPN|natIpv4PoolGrp
network-object object VPN_DHCP
object-group network |acDestNwg-268435472
network-object object 192.168.1.0/24
network-object object 10.100.30.0/24
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: as400_inside
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc outside object-group |acSrcNwg-268435462 ifc inside object-group |acDestNwg-268435462 rule-id 268435462 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: REC
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc inside object 192.168.1.0/24 ifc outside object-group |acDestNwg-268435458 rule-id 268435458
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: PROD
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc inside object 192.168.1.0/24 ifc outside object-group |acDestNwg-268435459 rule-id 268435459
access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: 10.100.30.5
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 ifc inside object 192.168.1.0/24 ifc outside object 10.100.30.5 rule-id 268435460
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: AS400
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc inside object 192.168.1.0/24 ifc outside object-group |acDestNwg-268435461 rule-id 268435461 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: 10.10.1.0
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc inside object 192.168.1.0/24 ifc inside object |10.10.1.0 rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: 10.10.1.0_outside
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc outside object |10.10.1.0 any rule-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 268435465: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435465: L5 RULE: Open_outside
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435465 any ifc outside any rule-id 268435465
access-list NGFW_ONBOX_ACL remark rule-id 268435471: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435471: L5 RULE: CRM_AND_SITEWEB
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435471 ifc outside object any-ipv4 ifc inside object-group |acDestNwg-268435471 rule-id 268435471
access-list NGFW_ONBOX_ACL remark rule-id 268435468: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435468: L5 RULE: 3cx_open_port
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435468 any object IP_PUBLIC_4 rule-id 268435468
access-list NGFW_ONBOX_ACL remark rule-id 268435472: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435472: L5 RULE: VPNRA Rule
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435472 ifc outside object VPN_DHCP ifc inside object-group |acDestNwg-268435472 rule-id 268435472
access-list NGFW_ONBOX_ACL remark rule-id 268435473: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435473: L5 RULE: OutToIn_192.168.1.213_LDAP
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435473 ifc outside object any-ipv4 ifc inside object 192.168.1.213 rule-id 268435473
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435469: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435469: L5 RULE: Outside_Inside
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435469 ifc outside any ifc inside any rule-id 268435469
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list |s2sAcl|b12a2624-3a44-11ed-80d1-431b69dad281 extended permit ip object-group |s2sAclSrcNwgV4|b12a2624-3a44-11ed-80d1-431b69dad281 object-group |s2sAclDestNwgV4|b12a2624-3a44-11ed-80d1-431b69dad281
access-list DfltGrpPolicy|splitAcl extended permit ip object 192.168.1.0/24 any
access-list DfltGrpPolicy|splitAcl extended permit ip object 10.100.30.0/24 any
pager lines 24
logging enable
logging timestamp
logging console warnings
logging buffered emergencies
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu serveurs 1500
mtu lan_20 1500
mtu lan_30 1500
mtu internal_wifi 1500
mtu management 1500
mtu tel 1500
mtu voip 1500
mtu diagnostic 1500
no failover
monitor-interface management
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (outside,inside) source static 10.100.30.1 10.100.30.1 destination static 10.100.29.4 192.168.1.10 service _|NatOrigSvc_656f4407-7aea-11ed-9d66-c9ffbc9e3ac1 _|NatMappedSvc_656f4407-7aea-11ed-9d66-c9ffbc9e3ac1
nat (outside,inside) source static 10.100.30.0/24 10.100.29.1-10.100.29.254 destination static 10.100.29.1-10.100.29.254 192.168.1.1-192.168.1.254
nat (inside,outside) source static 192.168.1.1-192.168.1.254 10.100.29.1-10.100.29.254 destination static 10.100.30.0/24 10.100.30.0/24
nat (outside,inside) source static 10.100.30.0/24 interface destination static 10.100.29.1 192.168.1.0/24
nat (inside,outside) source static 192.168.1.227 interface service _|NatOrigSvc_e194dc35-3b13-11ed-80d1-5f3985c966a9 _|NatMappedSvc_e194dc35-3b13-11ed-80d1-5f3985c966a9
nat (inside,outside) source static 192.168.1.227 interface service _|NatOrigSvc_7ba41988-3b14-11ed-80d1-b51035986838 _|NatMappedSvc_7ba41988-3b14-11ed-80d1-b51035986838
nat (inside,outside) source static 192.168.1.213 interface service _|NatOrigSvc_7c2bfbd5-7b84-11ed-9d66-9d742308ed5d _|NatMappedSvc_7c2bfbd5-7b84-11ed-9d66-9d742308ed5d
nat (inside,outside) source static 192.168.1.227 interface service _|NatOrigSvc_884f996e-7c4c-11ed-9d66-512e553611b0 _|NatMappedSvc_884f996e-7c4c-11ed-9d66-512e553611b0
nat (inside,outside) source dynamic any-ipv4 interface

route outside 0.0.0.0 0.0.0.0 (IP PUBLIC CLIENT GW) 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
http ::/0 inside
ip-client inside
ip-client inside ipv6
ip-client management
ip-client management ipv6
ip-client diagnostic
ip-client diagnostic ipv6
ip-client outside
ip-client outside ipv6
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|b12a2624-3a44-11ed-80d1-431b69dad281
crypto map s2sCryptoMap 1 set pfs
crypto map s2sCryptoMap 1 set peer (IP PUBLIC PARTNER)
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES256-SHA256
crypto map s2sCryptoMap 1 set security-association lifetime seconds 3600
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000
crypto map s2sCryptoMap interface outside

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 28800
crypto ikev2 enable outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh ::/0 inside
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/anyconnect-win-4.10.06079-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.213
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DfltGrpPolicy|splitAcl
default-domain value (DOMAINE)
split-tunnel-all-dns enable
address-pools value VPN_DHCP
webvpn
anyconnect mtu 1300
anyconnect dtls compression lzs
group-policy |s2sGP|(IP PUBLIC PARTNER) internal
group-policy |s2sGP|(IP PUBLIC PARTNER) attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group (IP PUBLIC PARTNER) type ipsec-l2l
tunnel-group (IP PUBLIC PARTNER) general-attributes
default-group-policy |s2sGP|(IP PUBLIC PARTNER)
tunnel-group (IP PUBLIC PARTNER) ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect xdmcp
class class_snmp
inspect snmp

@Valentin GOULET I asked to repeat without the source/destination ports, so I meant leave the IP addresses, like this.

Please specify an IP protocol: tcp
Please provide a client IP address: 10.100.30.1
Please specify a client port: 
Please specify a server IP address: 192.168.1.11
Please specify a server port:

You will need to generate traffic between those IP addresses for anything to match.

From your configuration output I can determine that 10.100.30.1 is defined as an object, which is referenced in the object-group "acDestNwg-268435461". That object-group is referenced in the rule "access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc inside object 192.168.1.0/24 ifc outside object-group |acDestNwg-268435461 rule-id 268435461 event-log both". This appears to be a rule from inside to outside.


I cannot see rule from outside to inside to permit traffic from the service provider. Did you create an inbound rule from outside to inside as requested?

Did you run packet-tracer as requested?

ACL RULES :

access-list advanced permit outside object 10.100.30.1 9100  inside object 192.168.1.11 9100

NAT RULES :

nat (outside, inside) source static 10.100.30.0/24 10.100.29.0/24 destination static 10.100.29.0/24 192.168.1.0/24

nat (inside, outside) source static 192.168.1.0/24 10.100.30.0/24 destination static 10.100.29.0/24 10.100.30.0/24

nat (outside, inside) source static 10.100.30.0/24 10.100.29.1 destination static Interface 192.168.1.0/24

@Valentin GOULET like I said previously, the source port isn't likely to be tcp/9100, it would be random port. So traffic won't match your ACL. Modify the ACL to include source IP, destination IP and destination port - without specifying 9100 as the source port, therefore "any".

Please provide the packet-tracer output.

packet-tracer input outside tcp 10.100.30.1 3000 192.168.1.11 9100

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 17408 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 16384 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.1.11 using egress ifc inside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 9557 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc outside object-group |acSrcNwg-268435462 ifc inside object canon2 rule-id 268435462 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: inside_canon2
object-group service |acSvcg-268435462
service-object tcp destination eq 9100
object-group network |acSrcNwg-268435462
network-object object prod
network-object object rec
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 9557 ns
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 9557 ns
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 76800 ns
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 7680 ns
Config:
nat (outside, inside) source static 10.100.30.0/24 10.100.29.0/24 destination static 10.100.29.0/24 192.168.1.0/24
Additional Information:
Forward Flow based lookup yields rule:
out id=0x14ff79130d60, priority=6, domain=nat-reverse, deny=false
hits=7893, user_data=0x14ff782b39a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.30.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside(vrfid:0), output_ifc=inside(vrfid:0)

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 87039 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000564a4d464635 flow (NA)/NA

@Valentin GOULET your NAT rule is incorrect.

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 7680 ns
Config:
nat (outside, inside) source static 10.100.30.0/24 10.100.29.0/24 destination static 10.100.29.0/24 192.168.1.0/24

Why is the translated source 10.100.29.0/24 shouldn't it be 10.100.30.0/24? Aren't you just translating on the destination?

I disable this Nat Rule, now i have this result at the packet-tracer command line,

> packet-tracer input outside tcp 10.100.30.1 3000 192.168.1.11 9100

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 17920 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 16896 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.1.11 using egress ifc inside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8192 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc outside object-group |acSrcNwg-268435462 ifc inside object canon2 rule-id 268435462 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: canon2
object-group service |acSvcg-268435462
service-object tcp destination eq 9100
object-group network |acSrcNwg-268435462
network-object object prod
network-object object rec
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8192 ns
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8192 ns
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 27136 ns
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 8704 ns
Config:
nat (inside,outside) source static 192.168.1.0/24 10.100.29.0/24 destination static 10.100.30.0/24 10.100.30.0/24
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 95232 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000564a4d464635 flow (NA)/NA

You need to change the packet tracer to use the NAT IP and not the real IP

packet-tracer input outside tcp 10.100.30.1 3000 10.100.29.2 9100

--
Please remember to select a correct answer and rate helpful posts

Ok the result with NAT IP is : 

 

> packet-tracer input outside tcp 10.100.30.1 3000 10.100.29.2 9100

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 19456 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 11776 ns
Config:
nat (inside,outside) source static 192.168.1.0/24 10.100.29.0/24 destination static 10.100.30.0/24 10.100.30.0/24
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate 10.100.29.2/9100 to 192.168.1.2/9100

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6784 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435469 ifc outside any ifc inside any rule-id 268435469
access-list NGFW_ONBOX_ACL remark rule-id 268435469: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435469: L5 RULE: Outside_Inside
object-group service |acSvcg-268435469
service-object ip
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6784 ns
Config:
nat (inside,outside) source static 192.168.1.0/24 10.100.29.0/24 destination static 10.100.30.0/24 10.100.30.0/24
Additional Information:
Static translate 10.100.30.1/3000 to 10.100.30.1/3000

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6784 ns
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6784 ns
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 25600 ns
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 9216 ns
Config:
nat (inside,outside) source static 192.168.1.0/24 10.100.29.0/24 destination static 10.100.30.0/24 10.100.30.0/24
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 19456 ns
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 512 ns
Config:
Additional Information:

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Elapsed time: 3584 ns
Config:
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 116736 ns
Drop-reason: (ipsec-spoof) IPSEC Spoof detected, Drop-location: frame 0x0000564a4d46552e flow (NA)/NA

First off, is this a Lab environment?

You need to remove the first NAT statement below or move the second above the first to match correctly here.  If that first statement needs to remain in the configuration you need to create another more specific NAT statement above that first NAT statement for traffic between 10.100.30.1 and 192.168.1.11 (10.100.29.2).

nat (outside,inside) source static 10.100.30.0/24 10.100.29.1-10.100.29.254 destination static 10.100.29.1-10.100.29.254 192.168.1.1-192.168.1.254
nat (inside,outside) source static 192.168.1.1-192.168.1.254 10.100.29.1-10.100.29.254 destination static 10.100.30.0/24 10.100.30.0/24

Also, in the packet tracer the Phase3 is matching on an ACL that indicates an inside object canon2 but I am unable to see this in the configuration you posted.  Did you include your full config or did you edit some parts out.

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc outside object-group |acSrcNwg-268435462 ifc inside object canon2 rule-id 268435462 event-log both

--
Please remember to select a correct answer and rate helpful posts

No it’s in production, hence the fact that I can’t experience too much because people work through the site to site.
I added a nat (inside, outside) 192.168.1.11 10.100.29.2 static destination 10.100.30.1 10.100.29.2, but it still does not pass.


canon2 = 192.168.1.11

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: