cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
0
Helpful
11
Replies

Cannot Pass Traffic Firepower 1010 to Firepower 1010

Jay Sains
Level 1
Level 1

I've created multiple site to site VPNs using FPR-1010s. 
Cannot ping through the tunnel.  Cannot pass traffic through the tunnel.   
Show Crypto IPSEC SA shows endpoints connected 

Show ISAKMP  SA shows endpoints connected with tunnels between networks.

I think I have Identity Nat Enabled between sites.

packet-tracer input inside rawip 192.168.100.18 1 192.168.99.18 xml
gives the following error:
<drop-reason>(inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched</drop-reason>
<drop-detail>Drop-location: frame 0x000056393ef26509 flow (NA)/NA</drop-detail>

Show Route does not show virtual static routes between devices

 

 

11 Replies 11

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

   Do you use crypto-map / policy-based or VTI / route-based VPN's? If IPsec SA is up/active, you've got to ensure routing is performed as well as NAT exemption (twice NAT in section 1, so called "before"). NAT exemption would mean that if your VPN traffic is between 192.168.10.0/24 and 192.168.20.0/24, you have a "before twice NAT rule" where both real and translated values are the same for both source and destination.

Best,

Cristian.

I'm still in an ASA configuration mindset, so I'm using Crypto Map/Policy based VPNs.  I still have a few ASAs out there I'm starting to grandfather this year.  On those connections, I have one-sided pings working, but that's another issue.

Am I reading it correctly that I'm double Nat exempting traffic?  Are you also saying I need to setup separate routing tables (BGP, OSPF, or Static) for each site to site connection?    

I have six sites to get online quickly and this one is beating me up a little.  If I can get one, I can get the rest in short order.

Hi,

    If you want to stick with crypto-maps (I recommend not for way too many reasons - aka complications and complexity down the road), you would need to do the following, assuming we have this scenario: 192.168.10.0/24(LAN1)---ASA1------WAN------ASA2---192.168.20.0/24(LAN2)

  1. build the tunnels on both ASA's
  2. configure routing on both ASA (e.g. on ASA1 route NAMEIF_OF_INTERFACE_WHERE_TUNNEL_IS_TERMINATED 192.168.20.0 255.255.255.0 NEXT_HOP_OF_INTERFACE_WHERE_TUNNEL_IS_TERMINATED)
  3. ensure your ingress ACL applied on both ASA's allows for traffic going through the tunnel (e.g on ASA1 assuming your ingress ACL applied on NAMEIF_OF_INTERFACE_WHERE_TUNNEL_IS_TERMINATED is named INGRESS, access-list INGRESS line 1 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0)
  4. ensure traffic sent over tunnel is not subject to NAT on both ASA's (e.g on ASA1 nat (NAMEIF_OF_INTERFACE_WHERE_192.168.10.0/24_RESIDES, NAMEIF_OF_INTERFACE_WHERE_TUNNEL_IS_TERMINATED 1 source static NAME_OF_OBJECT_MATCHING_192.168.10.0/24 NAME_OF_OBJECT_MATCHING_192.168.10.0/24 destination static NAME_OF_OBJECT_MATCHING_192.168.20.0/24 NAME_OF_OBJECT_MATCHING_192.168.20.0/24 no-proxy-arp description NO_NAT_FOR_VPN_TO_ASA2)

If you want to move to VTI, recommended, it's same steps, with the following changes:

  1. built the tunnels using VTI instead of crypto-maps
  2. build dynamic routing through the tunnels and advertise your protected networks (instead of static routing)
  3. same
  4. same

Best,

Cristian.

Can I see packet tracer from 

Remote LAN to local LAN 

And from

Local LAN to remote LAN

MHM

Jay Sains
Level 1
Level 1

Local to Remote

Packet Tracer from Remote to Local

 

<Phase>
<id>1</id>
<type>INPUT-ROUTE-LOOKUP</type>
<subtype>Resolve Egress Interface</subtype>
<result>ALLOW</result>
<elapsed-time>38595 ns</elapsed-time>
<config>
</config>
<extra>
Found next-hop xxx.xxx.xxx.65 using egress ifc  outside(vrfid:0)
</extra>
</Phase>

 

<Phase>
<id>2</id>
<type>UN-NAT</type>
<subtype>static</subtype>
<result>ALLOW</result>
<elapsed-time>2790 ns</elapsed-time>
<config>
nat (inside,outside) source static Site2-North Site2-North destination static Site2-Main Site2-Main no-proxy-arp route-lookup
</config>
<extra>
NAT divert to egress interface outside(vrfid:0)
Untranslate 172.16.128.18/0 to 172.16.128.18/0
</extra>
</Phase>

 

<Phase>
<id>3</id>
<type>ACCESS-LIST</type>
<subtype>log</subtype>
<result>ALLOW</result>
<elapsed-time>7556 ns</elapsed-time>
<config>
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: DefaultInternet
object-group service |acSvcg-268435457
 service-object ip
</config>
<extra>
</extra>
</Phase>

 

<Phase>
<id>4</id>
<type>NAT</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>7556 ns</elapsed-time>
<config>
nat (inside,outside) source static Site2-North Site2-North destination static Site2-Main Site2-Main no-proxy-arp route-lookup
</config>
<extra>
Static translate 172.16.132.18/0 to 172.16.132.18/0
</extra>
</Phase>


<Phase>
<id>5</id>
<type>NAT</type>
<subtype>per-session</subtype>
<result>ALLOW</result>
<elapsed-time>7556 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>

 

<Phase>
<id>6</id>
<type>IP-OPTIONS</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>7556 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>

 

<Phase>
<id>7</id>
<type>INSPECT</type>
<subtype>np-inspect</subtype>
<result>ALLOW</result>
<elapsed-time>25575 ns</elapsed-time>
<config>
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default

  inspect icmp

service-policy global_policy global
</config>
<extra>
</extra>
</Phase>

 

<Phase>
<id>8</id>
<type>INSPECT</type>
<subtype>np-inspect</subtype>
<result>ALLOW</result>
<elapsed-time>3255 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>

 

<Phase>
<id>9</id>
<type>VPN</type>
<subtype>encrypt</subtype>
<result>ALLOW</result>
<elapsed-time>11160 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>

 

<Phase>
<id>10</id>
<type>NAT</type>
<subtype>rpf-check</subtype>
<result>ALLOW</result>
<elapsed-time>2325 ns</elapsed-time>
<config>
nat (inside,outside) source static Site2-North Site2-North destination static Site2-Main Site2-Main no-proxy-arp route-lookup
</config>
<extra>
</extra>
</Phase>

 

<Phase>
<id>11</id>
<type>FLOW-CREATION</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>21390 ns</elapsed-time>
<config>
</config>
<extra>
New flow created with id 94610, packet dispatched to next module
</extra>
</Phase>


<result>
<input-interface>inside(vrfid:0)</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>outside(vrfid:0)</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<time-taken>135314 ns</time-taken>
<drop-reason>(inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched</drop-reason>
<drop-detail>Drop-location: frame 0x00005582b4531509 flow (NA)/NA</drop-detail>
</result>


<Phase>
<id>1</id>
<type>INPUT-ROUTE-LOOKUP</type>
<subtype>Resolve Egress Interface</subtype>
<result>ALLOW</result>
<elapsed-time>43710 ns</elapsed-time>
<config>
</config>
<extra>
Found next-hop XXX.XXX.XXX.1 using egress ifc outside(vrfid:0)
</extra>
</Phase>

<Phase>
<id>2</id>
<type>UN-NAT</type>
<subtype>static</subtype>
<result>ALLOW</result>
<elapsed-time>3255 ns</elapsed-time>
<config>
nat (inside,any) source static Site2_Main Site2_Main destination static Site2-North Site2-North no-proxy-arp route-lookup
</config>
<extra>
NAT divert to egress interface outside(vrfid:0)
Untranslate 172.16.132.18/0 to 172.16.132.18/0
</extra>
</Phase>

<Phase>
<id>3</id>
<type>ACCESS-LIST</type>
<subtype>log</subtype>
<result>ALLOW</result>
<elapsed-time>8370 ns</elapsed-time>
<config>
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
object-group service |acSvcg-268435457
service-object ip
</config>
<extra>
This packet will be sent to snort for additional processing where a verdict will be reached
</extra>
</Phase>

<Phase>
<id>4</id>
<type>NAT</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>8370 ns</elapsed-time>
<config>
nat (inside,any) source static Site2_Main Site2_Main destination static Site2-North Site2-North no-proxy-arp route-lookup
</config>
<extra>
Static translate 172.16.128.18/0 to 172.16.128.18/0
</extra>
</Phase>

<Phase>
<id>5</id>
<type>NAT</type>
<subtype>per-session</subtype>
<result>ALLOW</result>
<elapsed-time>8370 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>6</id>
<type>IP-OPTIONS</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>8370 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>7</id>
<type>INSPECT</type>
<subtype>np-inspect</subtype>
<result>ALLOW</result>
<elapsed-time>28830 ns</elapsed-time>
<config>
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>8</id>
<type>INSPECT</type>
<subtype>np-inspect</subtype>
<result>ALLOW</result>
<elapsed-time>4185 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>9</id>
<type>VPN</type>
<subtype>encrypt</subtype>
<result>ALLOW</result>
<elapsed-time>10230 ns</elapsed-time>
<config>
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>10</id>
<type>NAT</type>
<subtype>rpf-check</subtype>
<result>ALLOW</result>
<elapsed-time>2790 ns</elapsed-time>
<config>
nat (inside,any) source static Site2_Main Site2_Main destination static Site2-North Site2-North no-proxy-arp route-lookup
</config>
<extra>
</extra>
</Phase>

<Phase>
<id>11</id>
<type>FLOW-CREATION</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>28830 ns</elapsed-time>
<config>
</config>
<extra>
New flow created with id 77258, packet dispatched to next module
</extra>
</Phase>

<Phase>
<id>12</id>
<type>EXTERNAL-INSPECT</type>
<subtype></subtype>
<result>ALLOW</result>
<elapsed-time>40455 ns</elapsed-time>
<config>
</config>
<extra>
Application: 'SNORT Inspect'
</extra>
</Phase>

<Phase>
<id>13</id>
<type>SNORT</type>
<subtype>appid</subtype>
<result>ALLOW</result>
<elapsed-time>51560 ns</elapsed-time>
<config>
</config>
<extra>
service: ICMP(3501), client: (0), payload: (0), misc: ICMP(3501)
</extra>
</Phase>

<Phase>
<id>14</id>
<type>SNORT</type>
<subtype>firewall</subtype>
<result>ALLOW</result>
<elapsed-time>549326 ns</elapsed-time>
<config>
Network 0, Inspection 0, Detection 0, Rule ID 268435457
</config>
<extra>
Starting rule matching, zone 1 -&amp;gt; 2, geo 0 -&amp;gt; 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268435457 - Allow
</extra>
</Phase>

<result>
<input-interface>inside(vrfid:0)</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>outside(vrfid:0)</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<time-taken>796651 ns</time-taken>
<drop-reason>(inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched</drop-reason>
<drop-detail>Drop-location: frame 0x000055d6293eb27c flow (NA)/NA</drop-detail>
</result>


Remote to Local

 

 

Sorry' there is something wrong in packet tracer' 

Can I see screenshots of both packet tracer (local to remote) and (remote to local)' I think you missing enter the interface or it not correct 

MHM

I'm using the web management directly on the device.  I can't find "Packet-Tracer".

What you enter to get result you share above?

MHM

packet-tracer input inside rawip 172.16.132.18 1 172.16.128.18 xml

 

 

There are two different NAT' 

One inside,outside and other inside,any 

I think this make issue for vpn.

Remote inside,any and check again 

MHM

Could you please re-run the packet tracer as follows and share the output for review?

packet-tracer input inside icmp 192.168.100.18 8 0 192.168.99.18