Solved: Re: route based, policy based site to site VPN on the firepower 1120 - Page 2

gogi99 · ‎08-08-2024

my company has a cisco firepower 1120. i have to configure site to site VPN with other company. i gave a information from other company. my device, the firepower i configure from the FDM. on internet, i found that the FDM supports just route based site to site VPN. other company gave me information that they have not possibility configuring device with route based site to site VPN, just with policy based site to site VPN. i must configure policy based site to site VPN. on internet, i found that exists template for policy based site to site VPN for configuring. can we give me some information about this? one more question, i must configure policy based site to site VPN from the CLI. which terminal do I use to configure this option? is it system support diagnostic-cli?

gogi99 · ‎08-09-2024

i set static route for network 11.115.55.0/24, gateway remote_ip_address_peer over out side interface, and when i type comand

> show crypto ikev2 sa

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role

238350603 my outside/500 remote ip peer/500 READY RESPONDER

Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:24, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/725 sec

Child sa: local selector 11.4.23.0/0 - 11.4.23.255/65535

remote selector 11.115.55.0/0 - 11.115.55.255/65535

ESP spi in/out: 0x69a8783c/0xc1943a6f

and

> show crypto ipsec sa

interface: outside

Crypto map tag: s2sCryptoMap, seq num: 1, local addr: my outside

access-list |s2sAcl|091dd7e7-5575-11ef-85f5-2fcd82cd34ff extended permit ip 11.4.23.0 255.255.255.0 11.115.55.0 255.255.255.0

local ident (addr/mask/prot/port): (11.4.23.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (11.115.55.0/255.255.255.0/0/0)

current_peer: ip remote peer

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: myoutside ip/500, remote crypto endpt.: ip remote peer/500

path mtu 1500, ipsec overhead 78(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: C1943A6F

current inbound spi : 69A8783C

inbound esp sas:

spi: 0x69A8783C (1772648508)

SA State: active

transform: esp-aes-256 esp-sha-256-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 24, IKEv2, }

slot: 0, conn_id: 34998, crypto-map: s2sCryptoMap

sa timing: remaining key lifetime (kB/sec): (3962875/28034)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00001FFF 0xFFFFFFFF

outbound esp sas:

spi: 0xC1943A6F (3247716975)

SA State: active

transform: esp-aes-256 esp-sha-256-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 24, IKEv2, }

slot: 0, conn_id: 34998, crypto-map: s2sCryptoMap

sa timing: remaining key lifetime (kB/sec): (4285440/28034)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

command show nat detail

6 (inside_servers) to (outside) source static server_network eUprava destination static OpenShift_Network OpenShift_Network

translate_hits = 0, untranslate_hits = 19

Source - Origin: 192.168.99.0/24, Translated: 11.4.23.0/24

Destination - Origin: 11.155.55.0/24, Translated: 11.155.55.0/24

like that NAT is not configured properly

Rob Ingram · ‎08-09-2024

@gogi99 your previously said the remote/local protected networks needed to be 11.115.55.0/24 and 11.4.23.0/24

Yet the local/remote networks are completely different in your output, have you provide the correct output?

local ident (addr/mask/prot/port): (10.7.54.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.101.57.0/255.255.255.0/0/0)

How are you testing this, traffic needs to be source from 192.168.99.x to the remote destination in order to be translated.

gogi99 · ‎08-09-2024

per your instruction in site to site vpn configuration i set in protected local network 11.4.23.0/24, and in remote protected network 11.115.55.0/24 i made mistake when i typed message. i dont know that my NAT rule is right, because

6 (inside_servers) to (outside) source static server_network eUprava destination static OpenShift_Network OpenShift_Network

translate_hits = 0, untranslate_hits = 19

Source - Origin: 192.168.99.0/24, Translated: 11.4.23.0/24

Destination - Origin: 11.155.55.0/24, Translated: 11.155.55.0/24

MHM Cisco World · ‎08-09-2024

Can you share

Packet tracer for vpn traffic' note use real IP in packet tracer

MHM

gogi99 · ‎08-09-2024

i dont know how i use the packet tracer. where i can find them

MHM Cisco World · ‎08-09-2024

You can access to ftd cli? Or you use only fdm?

MHM

gogi99 · ‎08-11-2024

i have the access to cli and FDM

gogi99 · ‎08-11-2024

i tryed with traceroute command 11.115.55.4 on host but nothing

MHM Cisco World · ‎08-12-2024

If you can access via cli then do

Packet tracer <inside> <local LAN IP> <1234> <remote LAN IP> <1234> detail <<- run this twice

Packet tracer <outside> <remote LAN IP> <1234> <local LAN IP> <1234> detail

Share result here

MHM

gogi99 · ‎08-12-2024

for inside interface local LAN IP is my local lan address range 192.168.99.0/24

what is inside, outside? its my inside_servers interface, outside interface?

for outside interfaceremote LAN IP, which address?

MHM Cisco World · ‎08-12-2024

what is inside, outside? its my inside_servers interface, outside interface? Correct

for outside interfaceremote LAN IP, which address? sorry can you more elaborate

gogi99 · ‎08-12-2024

inside_servers interface is inside interface on FPR, outside interface is outside. LAN address is 192.168.99.0/24.

from other company i receive next

When you initiate an interesting communication, the tunnel will rise again. The prerequisite for this is that you route the 11.115.55.0/24 network through your FPR, which we talked about on Friday. You need to verify the routing between the first router (which is the def gw for your server) and the FPR, across all L3 hops. Also, if you have ACL or firewall policies on the packet path, you need to allow the desired connectivity to OpenShift through them.

i dont have hops, my LAN network have gateway on 192.168.99.1 and inside_servers on 192.168.99.9

MHM Cisco World · ‎08-12-2024

Packet tracer <inside_servers> <192.168.99.100 > <1234> <11.115.55.100> <1234> detail <<- run this twice
share result here

MHM

gogi99 · ‎08-12-2024

i typed in format packet-tracer input inside_servers tcp 192.168.99.20 but i dont know what i type now?

MHM Cisco World · ‎08-12-2024

packet-tracer input inside_servers tcp 192.168.99.20 1234 11.115.55.100> 1234 detail

This friend run this command twice and share result of second

MHM