Solved: Re: route based, policy based site to site VPN on the firepower 1120 - Page 3

gogi99 · ‎08-08-2024

my company has a cisco firepower 1120. i have to configure site to site VPN with other company. i gave a information from other company. my device, the firepower i configure from the FDM. on internet, i found that the FDM supports just route based site to site VPN. other company gave me information that they have not possibility configuring device with route based site to site VPN, just with policy based site to site VPN. i must configure policy based site to site VPN. on internet, i found that exists template for policy based site to site VPN for configuring. can we give me some information about this? one more question, i must configure policy based site to site VPN from the CLI. which terminal do I use to configure this option? is it system support diagnostic-cli?

gogi99 · ‎08-12-2024

Syntax error: Illegal command line

MHM Cisco World · ‎08-12-2024

Can take screenshot of command

MHM

gogi99 · ‎08-12-2024

finally i received

> packet-tracer input inside_servers tcp 192.168.99.20 1234 11.115.55.100 1234 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b23994b6040, priority=1, domain=permit, deny=false
hits=5022429004, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside_servers, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_remote_peer using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b2396ea7c20, priority=12, domain=permit, deny=true
hits=23616506, user_data=0x2b2389bf2c80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any

Result:
input-interface: inside_servers(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005654019f52b0 flow (NA)/NA

>

MHM Cisco World · ‎08-12-2024

We get first thing why vpn drop

Acl drop traffic

MHM

gogi99 · ‎08-12-2024

i created access-rules and i receive

> packet-tracer input inside_servers tcp 192.168.99.20 1234 11.115.55.100 1234 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b23994b6040, priority=1, domain=permit, deny=false
hits=5022511776, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside_servers, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_remote_peer using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 any object-group |acDestNwg-268435463 rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: eUprava_out
object-group service |acSvcg-268435463
service-object ip
object-group network |acDestNwg-268435463
network-object object OpenShift_Network
network-object object eUprava
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x2b239db457d0, priority=12, domain=permit, deny=false
hits=8, user_data=0x2b2389d83300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=11.15.55.100, mask=255.255.255.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_servers,outside) source dynamic server_network interface dns
Additional Information:
Dynamic translate 192.168.99.20/1234 to ip_of_my_outside_interface/1234
Forward Flow based lookup yields rule:
in id=0x2b239851b7c0, priority=6, domain=nat, deny=false
hits=3121, user_data=0x2b2398516ca0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.99.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b23968f2260, priority=0, domain=nat-per-session, deny=false
hits=66136615, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b2398a5df70, priority=0, domain=inspect-ip-options, deny=true
hits=16016030, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=any

Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b239a5732b0, priority=18, domain=flow-export, deny=false
hits=400156, user_data=0x2b2399c27de0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside_servers,outside) source dynamic server_network interface dns
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b239851c450, priority=6, domain=nat-reverse, deny=false
hits=3122, user_data=0x2b23985199f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.99.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b23968f2260, priority=0, domain=nat-per-session, deny=false
hits=66136617, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b239afd2430, priority=0, domain=inspect-ip-options, deny=true
hits=41726934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside(vrfid:0), output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 62029982, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 231930627
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, id 268435463, allow
Snort id 2, NAP id 3, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 14
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_of_remote_peer using egress ifc outside(vrfid:0)

Result:
input-interface: inside_servers(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop., Drop-location: frame 0x000056540192fe79 flow (NA)/NA

>

MHM Cisco World · ‎08-12-2024

nat (inside_servers,outside) source dynamic server_network interface dns

This NAT is above NAT you use for IPsec this make traffic not match acl of policy based vpn.

What is type of NAT you use for vpn ? You need to use manaul before

Not auto NAT

gogi99 · ‎08-12-2024

my NAT rule for VPN is manual before auto NAT, static.

MHM Cisco World · ‎08-12-2024

this how NAT must be

MHM

gogi99 · ‎08-12-2024

nothing, i have a static route

S 11.115.55.100 255.255.255.0 [7/0] via ip_remote_peer, outside

i must have it? i tested with a static route, without static route, again nothing

MHM Cisco World · ‎08-12-2024

Did you change NAT ?

If Yes share new packet tracer

MHM

gogi99 · ‎08-12-2024

my packet-tracer

> packet-tracer input inside_servers tcp 192.168.99.20 1234 11.115.55.100 1234 detailed

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_remote_peer using egress ifc outside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 any object-group |acDestNwg-268435463 rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: eUprava_out
object-group service |acSvcg-268435463
service-object ip
object-group network |acDestNwg-268435463
network-object object OpenShift_Network
network-object object eUprava
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x2b239db457d0, priority=12, domain=permit, deny=false
hits=485, user_data=0x2b2389d83300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=11.115.55.100, mask=255.255.255.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_servers,outside) source dynamic server_network interface dns
Additional Information:
Dynamic translate 192.168.99.20/1234 to ip_outside_interface/1234
Forward Flow based lookup yields rule:
in id=0x2b239851b7c0, priority=6, domain=nat, deny=false
hits=3598, user_data=0x2b2398516ca0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.99.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b23968f2260, priority=0, domain=nat-per-session, deny=false
hits=66146173, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b2398a5df70, priority=0, domain=inspect-ip-options, deny=true
hits=16017160, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=any

Phase: 6
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b239a5732b0, priority=18, domain=flow-export, deny=false
hits=400866, user_data=0x2b2399c27de0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside_servers,outside) source dynamic server_network interface dns
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b239851c450, priority=6, domain=nat-reverse, deny=false
hits=3599, user_data=0x2b23985199f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.99.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b23968f2260, priority=0, domain=nat-per-session, deny=false
hits=66146175, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b239afd2430, priority=0, domain=inspect-ip-options, deny=true
hits=41732759, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside(vrfid:0), output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 62036435, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 1086714797
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, id 268435463, allow
Snort id 2, NAP id 3, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 13
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_remote_peer using egress ifc outside(vrfid:0)

Result:
input-interface: inside_servers(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop., Drop-location: frame 0x000056540192fe79 flow (NA)/NA

>

MHM Cisco World · ‎08-12-2024

nat (inside_servers,outside) source dynamic server_network interface dns

Still same issue' what type of this NAT' it must be auto NAT

MHM

gogi99 · ‎08-12-2024

this rule nat (inside_servers,outside) source dynamic server_network interface dns, i dont see in the FDM. i dont know which type must be this rule

MHM Cisco World · ‎08-12-2024

It must be auto not manual.

Share screenshots of all NAT in fdm

MHM

gogi99 · ‎08-12-2024

all nat rules