08-08-2024 10:49 PM
my company has a cisco firepower 1120. i have to configure site to site VPN with other company. i gave a information from other company. my device, the firepower i configure from the FDM. on internet, i found that the FDM supports just route based site to site VPN. other company gave me information that they have not possibility configuring device with route based site to site VPN, just with policy based site to site VPN. i must configure policy based site to site VPN. on internet, i found that exists template for policy based site to site VPN for configuring. can we give me some information about this? one more question, i must configure policy based site to site VPN from the CLI. which terminal do I use to configure this option? is it system support diagnostic-cli?
Solved! Go to Solution.
08-12-2024 02:43 AM
Syntax error: Illegal command line
08-12-2024 02:53 AM
Can take screenshot of command
MHM
08-12-2024 03:06 AM
finally i received
> packet-tracer input inside_servers tcp 192.168.99.20 1234 11.115.55.100 1234 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b23994b6040, priority=1, domain=permit, deny=false
hits=5022429004, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside_servers, output_ifc=any
Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_remote_peer using egress ifc outside(vrfid:0)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b2396ea7c20, priority=12, domain=permit, deny=true
hits=23616506, user_data=0x2b2389bf2c80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
Result:
input-interface: inside_servers(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005654019f52b0 flow (NA)/NA
>
08-12-2024 03:08 AM
We get first thing why vpn drop
Acl drop traffic
MHM
08-12-2024 03:18 AM - edited 08-12-2024 03:20 AM
i created access-rules and i receive
> packet-tracer input inside_servers tcp 192.168.99.20 1234 11.115.55.100 1234 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b23994b6040, priority=1, domain=permit, deny=false
hits=5022511776, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside_servers, output_ifc=any
Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_remote_peer using egress ifc outside(vrfid:0)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 any object-group |acDestNwg-268435463 rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: eUprava_out
object-group service |acSvcg-268435463
service-object ip
object-group network |acDestNwg-268435463
network-object object OpenShift_Network
network-object object eUprava
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x2b239db457d0, priority=12, domain=permit, deny=false
hits=8, user_data=0x2b2389d83300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=11.15.55.100, mask=255.255.255.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_servers,outside) source dynamic server_network interface dns
Additional Information:
Dynamic translate 192.168.99.20/1234 to ip_of_my_outside_interface/1234
Forward Flow based lookup yields rule:
in id=0x2b239851b7c0, priority=6, domain=nat, deny=false
hits=3121, user_data=0x2b2398516ca0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.99.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=outside(vrfid:0)
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b23968f2260, priority=0, domain=nat-per-session, deny=false
hits=66136615, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b2398a5df70, priority=0, domain=inspect-ip-options, deny=true
hits=16016030, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=any
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b239a5732b0, priority=18, domain=flow-export, deny=false
hits=400156, user_data=0x2b2399c27de0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside_servers,outside) source dynamic server_network interface dns
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b239851c450, priority=6, domain=nat-reverse, deny=false
hits=3122, user_data=0x2b23985199f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.99.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=outside(vrfid:0)
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b23968f2260, priority=0, domain=nat-per-session, deny=false
hits=66136617, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b239afd2430, priority=0, domain=inspect-ip-options, deny=true
hits=41726934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside(vrfid:0), output_ifc=any
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 62029982, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 231930627
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, id 268435463, allow
Snort id 2, NAP id 3, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet
Phase: 14
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_of_remote_peer using egress ifc outside(vrfid:0)
Result:
input-interface: inside_servers(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop., Drop-location: frame 0x000056540192fe79 flow (NA)/NA
>
08-12-2024 03:25 AM
nat (inside_servers,outside) source dynamic server_network interface dns
This NAT is above NAT you use for IPsec this make traffic not match acl of policy based vpn.
What is type of NAT you use for vpn ? You need to use manaul before
Not auto NAT
08-12-2024 03:29 AM
my NAT rule for VPN is manual before auto NAT, static.
08-12-2024 03:38 AM
this how NAT must be
MHM
08-12-2024 03:48 AM
nothing, i have a static route
S 11.115.55.100 255.255.255.0 [7/0] via ip_remote_peer, outside
i must have it? i tested with a static route, without static route, again nothing
08-12-2024 03:51 AM
Did you change NAT ?
If Yes share new packet tracer
MHM
08-12-2024 03:59 AM
my packet-tracer
> packet-tracer input inside_servers tcp 192.168.99.20 1234 11.115.55.100 1234 detailed
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_remote_peer using egress ifc outside(vrfid:0)
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 any object-group |acDestNwg-268435463 rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: eUprava_out
object-group service |acSvcg-268435463
service-object ip
object-group network |acDestNwg-268435463
network-object object OpenShift_Network
network-object object eUprava
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x2b239db457d0, priority=12, domain=permit, deny=false
hits=485, user_data=0x2b2389d83300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=11.115.55.100, mask=255.255.255.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_servers,outside) source dynamic server_network interface dns
Additional Information:
Dynamic translate 192.168.99.20/1234 to ip_outside_interface/1234
Forward Flow based lookup yields rule:
in id=0x2b239851b7c0, priority=6, domain=nat, deny=false
hits=3598, user_data=0x2b2398516ca0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.99.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=outside(vrfid:0)
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b23968f2260, priority=0, domain=nat-per-session, deny=false
hits=66146173, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b2398a5df70, priority=0, domain=inspect-ip-options, deny=true
hits=16017160, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=any
Phase: 6
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b239a5732b0, priority=18, domain=flow-export, deny=false
hits=400866, user_data=0x2b2399c27de0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside_servers,outside) source dynamic server_network interface dns
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b239851c450, priority=6, domain=nat-reverse, deny=false
hits=3599, user_data=0x2b23985199f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.99.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_servers(vrfid:0), output_ifc=outside(vrfid:0)
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b23968f2260, priority=0, domain=nat-per-session, deny=false
hits=66146175, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b239afd2430, priority=0, domain=inspect-ip-options, deny=true
hits=41732759, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside(vrfid:0), output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 62036435, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 1086714797
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, id 268435463, allow
Snort id 2, NAP id 3, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet
Phase: 13
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop ip_remote_peer using egress ifc outside(vrfid:0)
Result:
input-interface: inside_servers(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop., Drop-location: frame 0x000056540192fe79 flow (NA)/NA
>
08-12-2024 04:16 AM
nat (inside_servers,outside) source dynamic server_network interface dns
Still same issue' what type of this NAT' it must be auto NAT
MHM
08-12-2024 04:26 AM - edited 08-12-2024 04:27 AM
this rule nat (inside_servers,outside) source dynamic server_network interface dns, i dont see in the FDM. i dont know which type must be this rule
08-12-2024 04:29 AM
It must be auto not manual.
Share screenshots of all NAT in fdm
MHM
08-12-2024 04:34 AM
all nat rules
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide