topic Cannot VPN through a Cisco Firepower 1010 in Network Security

Cannot VPN through a Cisco Firepower 1010

MSakr — Fri, 04 Jun 2021 16:01:06 GMT

I have a 1010 Firepower on the edge with 2 S2S VPN connections established on it.

Now when I try to connect from a client inside of the 1010 to a VPN Gateway on the internet, it is not going through, any hints on where to troubleshoot? as these devices are limited in that

Thank you

Re: Cannot VPN through a Cisco Firepower 1010

Marvin Rhoads — Fri, 04 Jun 2021 18:41:46 GMT

I've seen this at time when the internal system needed to use IPsec and the udp/500 ports were already in use by the firewall interface that terminates the other IPsec tunnels. One solution is to use a static NAT for that client so that it has it's own public IP. Another is to see if it can negotiate with the distant end using udp/4500 (NAT-Traversal).

Re: Cannot VPN through a Cisco Firepower 1010

MSakr — Sun, 06 Jun 2021 12:18:56 GMT

Hi Marvin

This is what I thought initially that the same port might be used.

I was thinking to assign another public IP for the S2S tunnels or another IP for the public interface , whichever might be feasible on 1010 or easier.. your thoughts if it is possible? as I cannot change the peer VPN GW,

Re: Cannot VPN through a Cisco Firepower 1010

Marvin Rhoads — Sun, 06 Jun 2021 14:57:25 GMT

Site to site tunnels terminating on the FTD device must use the interface address.

You can verify the active ones are using the port connection with "show conn | i 500".