08-08-2024 10:49 PM
my company has a cisco firepower 1120. i have to configure site to site VPN with other company. i gave a information from other company. my device, the firepower i configure from the FDM. on internet, i found that the FDM supports just route based site to site VPN. other company gave me information that they have not possibility configuring device with route based site to site VPN, just with policy based site to site VPN. i must configure policy based site to site VPN. on internet, i found that exists template for policy based site to site VPN for configuring. can we give me some information about this? one more question, i must configure policy based site to site VPN from the CLI. which terminal do I use to configure this option? is it system support diagnostic-cli?
Solved! Go to Solution.
08-09-2024 04:46 AM - edited 08-09-2024 04:51 AM
i set static route for network 11.115.55.0/24, gateway remote_ip_address_peer over out side interface, and when i type comand
> show crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
238350603 my outside/500 remote ip peer/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/725 sec
Child sa: local selector 11.4.23.0/0 - 11.4.23.255/65535
remote selector 11.115.55.0/0 - 11.115.55.255/65535
ESP spi in/out: 0x69a8783c/0xc1943a6f
and
> show crypto ipsec sa
interface: outside
Crypto map tag: s2sCryptoMap, seq num: 1, local addr: my outside
access-list |s2sAcl|091dd7e7-5575-11ef-85f5-2fcd82cd34ff extended permit ip 11.4.23.0 255.255.255.0 11.115.55.0 255.255.255.0
local ident (addr/mask/prot/port): (11.4.23.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (11.115.55.0/255.255.255.0/0/0)
current_peer: ip remote peer
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: myoutside ip/500, remote crypto endpt.: ip remote peer/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C1943A6F
current inbound spi : 69A8783C
inbound esp sas:
spi: 0x69A8783C (1772648508)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 24, IKEv2, }
slot: 0, conn_id: 34998, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (3962875/28034)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00001FFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1943A6F (3247716975)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 24, IKEv2, }
slot: 0, conn_id: 34998, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (4285440/28034)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
command show nat detail
6 (inside_servers) to (outside) source static server_network eUprava destination static OpenShift_Network OpenShift_Network
translate_hits = 0, untranslate_hits = 19
Source - Origin: 192.168.99.0/24, Translated: 11.4.23.0/24
Destination - Origin: 11.155.55.0/24, Translated: 11.155.55.0/24
like that NAT is not configured properly
08-09-2024 04:57 AM
@gogi99 your previously said the remote/local protected networks needed to be 11.115.55.0/24 and 11.4.23.0/24
Yet the local/remote networks are completely different in your output, have you provide the correct output?
local ident (addr/mask/prot/port): (10.7.54.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.101.57.0/255.255.255.0/0/0)
How are you testing this, traffic needs to be source from 192.168.99.x to the remote destination in order to be translated.
08-09-2024 05:07 AM
per your instruction in site to site vpn configuration i set in protected local network 11.4.23.0/24, and in remote protected network 11.115.55.0/24 i made mistake when i typed message. i dont know that my NAT rule is right, because
6 (inside_servers) to (outside) source static server_network eUprava destination static OpenShift_Network OpenShift_Network
translate_hits = 0, untranslate_hits = 19
Source - Origin: 192.168.99.0/24, Translated: 11.4.23.0/24
Destination - Origin: 11.155.55.0/24, Translated: 11.155.55.0/24
08-09-2024 06:19 AM
Can you share
Packet tracer for vpn traffic' note use real IP in packet tracer
MHM
08-09-2024 06:29 AM
i dont know how i use the packet tracer. where i can find them
08-09-2024 06:31 AM
You can access to ftd cli? Or you use only fdm?
MHM
08-11-2024 10:13 PM
i have the access to cli and FDM
08-11-2024 10:36 PM
i tryed with traceroute command 11.115.55.4 on host but nothing
08-12-2024 01:27 AM
If you can access via cli then do
Packet tracer <inside> <local LAN IP> <1234> <remote LAN IP> <1234> detail <<- run this twice
Packet tracer <outside> <remote LAN IP> <1234> <local LAN IP> <1234> detail
Share result here
MHM
08-12-2024 02:05 AM
for inside interface local LAN IP is my local lan address range 192.168.99.0/24
what is inside, outside? its my inside_servers interface, outside interface?
for outside interfaceremote LAN IP, which address?
08-12-2024 02:14 AM
what is inside, outside? its my inside_servers interface, outside interface? Correct
for outside interfaceremote LAN IP, which address? sorry can you more elaborate
08-12-2024 02:17 AM
inside_servers interface is inside interface on FPR, outside interface is outside. LAN address is 192.168.99.0/24.
from other company i receive next
When you initiate an interesting communication, the tunnel will rise again. The prerequisite for this is that you route the 11.115.55.0/24 network through your FPR, which we talked about on Friday. You need to verify the routing between the first router (which is the def gw for your server) and the FPR, across all L3 hops. Also, if you have ACL or firewall policies on the packet path, you need to allow the desired connectivity to OpenShift through them.
i dont have hops, my LAN network have gateway on 192.168.99.1 and inside_servers on 192.168.99.9
08-12-2024 02:24 AM
Packet tracer <inside_servers> <192.168.99.100 > <1234> <11.115.55.100> <1234> detail <<- run this twice
share result here
MHM
08-12-2024 02:36 AM
i typed in format packet-tracer input inside_servers tcp 192.168.99.20 but i dont know what i type now?
08-12-2024 02:40 AM
packet-tracer input inside_servers tcp 192.168.99.20 1234 11.115.55.100> 1234 detail
This friend run this command twice and share result of second
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide