topic Re: Firepower_Migration_Tool | Crypto S2S on FTD | ACL configuration in Network Security

Firepower_Migration_Tool | Crypto S2S on FTD | ACL configuration

najarian — Wed, 07 Oct 2020 14:58:25 GMT

Hi,

Question-1 i migrated my 5516-x to FTD: 1140 and I had about 87 S2S tunnels, but none of them migrated by Tools.
so, please confirm I should follow instructions in cisco and configure Manually right?

Question 2: in the ASA configuration, First: I have 2 ACL type: 1 under Crypto command like :
crypto map ipsec_outside 50 match address ipsec_TUNNEL1 ( which is the network I want to protect )
Second: I have ACL under Group-Policy ( VPN Filter) Configuration: like :
group-policy policy_toyota-bank attributes
VPN-filter value acl_toyota-bank
(to restrict Port number accessibility from the remote side)

I know that I should write Extended ACLs under Object management> Extended ACL first, and use it for VPN configuration on FMC in Node (B) section.

but the question is: how should I use BOTH ACLs under site-2-site communication? is that possible to combine it? ( we have no command of ''tunnel-group X.X.X.X general-attributes'' to bind ACL like Vpn-Filter in ASA)!
should I use Flex-config or I can write Extended ACL (a combination of 2 ACLs above) and assign it under Node-B network protection?

Thanks in advance,

Respectfully yours,
Ashkan

Re: Firepower_Migration_Tool | Crypto S2S on FTD | ACL configuration

Rob Ingram — Wed, 07 Oct 2020 15:05:37 GMT

Hi @najarian

Correct, I don't believe the FMT currently migrates VPN tunnels, so unfortunately you'd have to migrate manually.

On FTD you would configure firewall rules in the ACP (Access Control Policy) to determine which traffic should or should not be permitted over the VPN tunnel.

HTH

Re: Firepower_Migration_Tool | Crypto S2S on FTD | ACL configuration

najarian — Thu, 08 Oct 2020 07:15:22 GMT

Hello Rob,

as i understand, i should just add SRC/DST networks in the NODEs information section in S2S configuration on FMC and i should migrate ''VPN-Filter ACLs on ASA '' in the (Access Control Policy). would you please confirm?

regards

Ashkan

Re: Firepower_Migration_Tool | Crypto S2S on FTD | ACL configuration

Rob Ingram — Thu, 08 Oct 2020 07:28:38 GMT

Yes, you would build the new VPN topologies, add the SRC (your local networks) and DST (the remote networks) - this defines the interesting traffic to be encrypted over the VPN tunnel.

Yes, the configuration of your existing VPN Filter on the ASA would need to be re-writing within the ACP applied to the FTD