https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4040858#M1067387 <P>Im in the process of replacing 5505 and 5506 with FPR-1010. (code: 6.5.0.4).</P><P>&nbsp;</P><P>When running IPsec between two subnets for example:</P><P>&nbsp;</P><P>FPR-2130 subnet 10.0.0.0/23 &lt;-------&gt; 10.199.24.0/24 (FPR-1010 has IP .1 (BV1) and .2 (MNGT).</P><P>&nbsp;</P><P>I cannot access the unit itself (.1.2), all other IPs in the subnet is reachable. The error is:</P><P>&nbsp;</P><PRE>Deny IP spoof from (10.0.0.x) to 10.199.24.1 on the interface outside</PRE><P>Can anyone help me get around this ?&nbsp;</P> Thu, 05 Mar 2020 13:01:36 GMT Jon Are Endrerud 2020-03-05T13:01:36Z https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4040858#M1067387 <P>Im in the process of replacing 5505 and 5506 with FPR-1010. (code: 6.5.0.4).</P><P>&nbsp;</P><P>When running IPsec between two subnets for example:</P><P>&nbsp;</P><P>FPR-2130 subnet 10.0.0.0/23 &lt;-------&gt; 10.199.24.0/24 (FPR-1010 has IP .1 (BV1) and .2 (MNGT).</P><P>&nbsp;</P><P>I cannot access the unit itself (.1.2), all other IPs in the subnet is reachable. The error is:</P><P>&nbsp;</P><PRE>Deny IP spoof from (10.0.0.x) to 10.199.24.1 on the interface outside</PRE><P>Can anyone help me get around this ?&nbsp;</P> Thu, 05 Mar 2020 13:01:36 GMT https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4040858#M1067387 Jon Are Endrerud 2020-03-05T13:01:36Z https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4040924#M1067393 Is the 1010 in transparent mode? Thu, 05 Mar 2020 14:21:40 GMT https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4040924#M1067393 Marvin Rhoads 2020-03-05T14:21:40Z https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4041707#M1067466 <P>No routed mode.</P> Fri, 06 Mar 2020 13:37:49 GMT https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4041707#M1067466 Jon Are Endrerud 2020-03-06T13:37:49Z https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4042133#M1067496 <P class="lia-align-justify">Ah - so you are trying to reach the Firepower inside and management addresses from the remote end of the site-site VPN? That's generally not possible since the traffic needs to come from one of the inside networks. Otherwise the Firepower would be sending it's own replies through itself - which is roughly what the log message is telling you.</P> Sat, 07 Mar 2020 10:55:41 GMT https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4042133#M1067496 Marvin Rhoads 2020-03-07T10:55:41Z https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4043274#M1067594 <P>Used the MNGT gateway with defined gateway unique gw instead of data interface gateway. This gives access to SSH and HTTPS.</P> Tue, 10 Mar 2020 12:07:20 GMT https://community.cisco.com/t5/network-security/fpr-1010-ipspoof/m-p/4043274#M1067594 Jon Are Endrerud 2020-03-10T12:07:20Z