Witam serdecznie czy ma ktoś pomysł nie czaje...?
klient AnyConnect dostaje adres z pooli 192.168.12.0/24 i ma NATowany dostęp do całego INSIDE 192.168.2.0/24 działa bez problemu poza dostępem do samego FirePowera zarówno FDM jak i SSH.
ManagementAccess/DataInterfaces ustawiony na: interface INSIDE, AllowedNetworks: Inside, poola-vpn
Oraz zauważyłem coś jeszcze dziwnego...
packet tracer pokazuje,
packet-tracer input outside tcp 192.168.12.22 9000 192.168.2.1 443
Drop-reason: (no-route) No route to host, Drop-location: frame 0x0000556e9593c6f
ale już dla kolejnego adresu w INSIDE
packet-tracer input outside tcp 192.168.12.22 9000 192.168.2.2 443
Drop-reason: (no-v4-adjacency) No valid V4 adjacency, Drop-location: frame 0x0000556e9586f0d9 flow (NA)/NA
i tak aż do 192.168.2.10 bo potem...
packet-tracer input outside tcp 192.168.12.22 9000 192.168.2.11 443
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Dostęp przez VPN AnyConnect do FTD/FDM
Re: Dostęp przez VPN AnyConnect do FTD/FDM
Napisz więcej szczegółów. Jeżeli robisz NAT, to na jaki IP i czy jest on dodany do AllowedNetworks? Packet-tracer rób z argumentem "detail". Jak wygląda tablica routingu dla powyższych adresacji?
Re: Dostęp przez VPN AnyConnect do FTD/FDM
(outside) to (inside) source dynamic vpn-pool-anyconnect interface
access-list NGFW_ONBOX_ACL line 33 advanced permit object-group |acSvcg-268435464 ifc outside object vpn-pool-anyconnect any rule-id 268435464 event-log both (hitcnt=519) 0x4f70fbcf
* 0.0.0.0 0.0.0.0 [1/0] via 61.61.61.225, outside
C 20.20.20.0 255.255.255.0 is directly connected, wifi
L 20.20.20.1 255.255.255.255 is directly connected, wifi
C 61.61.61.224 255.255.255.224 is directly connected, outside
L 61.61.61.228 255.255.255.255 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, siec1
L 192.168.1.1 255.255.255.255 is directly connected, siec1
C 192.168.2.0 255.255.255.0 is directly connected, inside
L 192.168.2.1 255.255.255.255 is directly connected, inside
C 192.168.5.0 255.255.255.0 is directly connected, siec2
L 192.168.5.1 255.255.255.255 is directly connected, siec2
C 192.168.6.0 255.255.255.0 is directly connected, servers
L 192.168.6.1 255.255.255.255 is directly connected, servers
C 192.168.8.0 255.255.255.0 is directly connected, kamery
L 192.168.8.1 255.255.255.255 is directly connected, kamery
V 192.168.12.1 255.255.255.255 connected by VPN (advertised), outside
widzę też że to czy jest allow czy nie zmienia się dynamicznie teraz naprzykład dopiero powyżej 192.168.2.220 przechodzi:
> packet-tracer input outside tcp 192.168.12.22 9000 192.168.2.22 443 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.22 using egress ifc inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.22/443 to 192.168.2.22/443
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc outside object vpn-pool-anyconnect any rule-id 268435464 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L7 RULE: Outside_VPN-POOL-ANYCONNECT
object-group service |acSvcg-268435464
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x2b761b744c10, priority=12, domain=permit, deny=false
hits=622, user_data=0x2b7609aec900, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.12.0, mask=255.255.255.0, port=0, tag=any, ifc=outside
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.12.22/9000 to 192.168.12.22/9000
Forward Flow based lookup yields rule:
in id=0x2b761b694860, priority=6, domain=nat, deny=false
hits=622, user_data=0x2b761b691cb0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.12.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b7616678bc0, priority=0, domain=nat-per-session, deny=false
hits=9193, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b76179e6e50, priority=0, domain=inspect-ip-options, deny=true
hits=14642, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b761b91a410, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=1185, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b761b694c40, priority=6, domain=nat-reverse, deny=false
hits=623, user_data=0x2b761b691ba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.12.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b7616678bc0, priority=0, domain=nat-per-session, deny=false
hits=9195, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b7617ac4910, priority=0, domain=inspect-ip-options, deny=true
hits=7013, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16461, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 1826268362
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, id 268435464, allow
Snort id 3, NAP id 4, IPS id 3, Verdict PASS
Snort Verdict: (pass-packet) allow this packet
Phase: 14
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.22 using egress ifc inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-v4-adjacency) No valid V4 adjacency, Drop-location: frame 0x0000560fb00a80d9 flow (NA)/NA
access-list NGFW_ONBOX_ACL line 33 advanced permit object-group |acSvcg-268435464 ifc outside object vpn-pool-anyconnect any rule-id 268435464 event-log both (hitcnt=519) 0x4f70fbcf
* 0.0.0.0 0.0.0.0 [1/0] via 61.61.61.225, outside
C 20.20.20.0 255.255.255.0 is directly connected, wifi
L 20.20.20.1 255.255.255.255 is directly connected, wifi
C 61.61.61.224 255.255.255.224 is directly connected, outside
L 61.61.61.228 255.255.255.255 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, siec1
L 192.168.1.1 255.255.255.255 is directly connected, siec1
C 192.168.2.0 255.255.255.0 is directly connected, inside
L 192.168.2.1 255.255.255.255 is directly connected, inside
C 192.168.5.0 255.255.255.0 is directly connected, siec2
L 192.168.5.1 255.255.255.255 is directly connected, siec2
C 192.168.6.0 255.255.255.0 is directly connected, servers
L 192.168.6.1 255.255.255.255 is directly connected, servers
C 192.168.8.0 255.255.255.0 is directly connected, kamery
L 192.168.8.1 255.255.255.255 is directly connected, kamery
V 192.168.12.1 255.255.255.255 connected by VPN (advertised), outside
widzę też że to czy jest allow czy nie zmienia się dynamicznie teraz naprzykład dopiero powyżej 192.168.2.220 przechodzi:
> packet-tracer input outside tcp 192.168.12.22 9000 192.168.2.22 443 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.22 using egress ifc inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.22/443 to 192.168.2.22/443
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc outside object vpn-pool-anyconnect any rule-id 268435464 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L7 RULE: Outside_VPN-POOL-ANYCONNECT
object-group service |acSvcg-268435464
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x2b761b744c10, priority=12, domain=permit, deny=false
hits=622, user_data=0x2b7609aec900, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.12.0, mask=255.255.255.0, port=0, tag=any, ifc=outside
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.12.22/9000 to 192.168.12.22/9000
Forward Flow based lookup yields rule:
in id=0x2b761b694860, priority=6, domain=nat, deny=false
hits=622, user_data=0x2b761b691cb0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.12.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b7616678bc0, priority=0, domain=nat-per-session, deny=false
hits=9193, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b76179e6e50, priority=0, domain=inspect-ip-options, deny=true
hits=14642, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b761b91a410, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=1185, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b761b694c40, priority=6, domain=nat-reverse, deny=false
hits=623, user_data=0x2b761b691ba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.12.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b7616678bc0, priority=0, domain=nat-per-session, deny=false
hits=9195, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2b7617ac4910, priority=0, domain=inspect-ip-options, deny=true
hits=7013, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16461, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 1826268362
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, id 268435464, allow
Snort id 3, NAP id 4, IPS id 3, Verdict PASS
Snort Verdict: (pass-packet) allow this packet
Phase: 14
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.22 using egress ifc inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-v4-adjacency) No valid V4 adjacency, Drop-location: frame 0x0000560fb00a80d9 flow (NA)/NA
Re: Dostęp przez VPN AnyConnect do FTD/FDM
Hej,
Pokaz konfiguracje NAT dla tej puli. Poza tym zrob Ping z mgmt ifc (br1) do adresu z puli von, sprawdz tez taki flow w PT. Nie chce byc pesymista, ale wydaje mi sie, ze taki setup nie jest wspierany, tzn. zarzadzanie FDM z klienta VPN polaczonego do FTD...
Pozdruffka!
Pokaz konfiguracje NAT dla tej puli. Poza tym zrob Ping z mgmt ifc (br1) do adresu z puli von, sprawdz tez taki flow w PT. Nie chce byc pesymista, ale wydaje mi sie, ze taki setup nie jest wspierany, tzn. zarzadzanie FDM z klienta VPN polaczonego do FTD...
Pozdruffka!
Re: Dostęp przez VPN AnyConnect do FTD/FDM
aaaa "show nat pool...." wywala router stają wszystkie połączenia uruchamia się ponownie kilka minut.
FDM działa na inside i zgłasza się na https://192.168.2.1 dlaczego sprawdzać mgmt? tam jest defaultowa podsieć i adres 192.168.45.45
dostęp do FDM to jedno ale dlaczego PT tak się zachowuje?
FDM działa na inside i zgłasza się na https://192.168.2.1 dlaczego sprawdzać mgmt? tam jest defaultowa podsieć i adres 192.168.45.45
dostęp do FDM to jedno ale dlaczego PT tak się zachowuje?
Re: Dostęp przez VPN AnyConnect do FTD/FDM
I jak, udalo sie rozwiazac problem?
Re: Dostęp przez VPN AnyConnect do FTD/FDM
Niestety ani jedno ani drugie pytanie nie zostało rozwiązane co do PT wygląda że to jakiś błąd bo całość działa ok tylko PT się dziwnie zachowuje.
Co do dostępu do FDM to widzę że nie tylko ja się z tym biedzę ale raczej opinie są takie że się nie da... a dlaczego? ...bo się nie da
Najprościej będzie to obejść pewnie wpiąć MGMT do Inside i na jakimś switchu sobie "przeroutować"
Co do dostępu do FDM to widzę że nie tylko ja się z tym biedzę ale raczej opinie są takie że się nie da... a dlaczego? ...bo się nie da
Najprościej będzie to obejść pewnie wpiąć MGMT do Inside i na jakimś switchu sobie "przeroutować"