topic Re: Policy Based IPSEC Tunnel With Firepower in Network Security

Policy Based IPSEC Tunnel With Firepower

TrashPanda — Fri, 19 Apr 2024 21:33:55 GMT

If I am configuring an IKEv1 IPSEC site-to-site VPN with an FTD device running 7.4.1 managed by the FMC and it is policy based, not route based, does the system ACL applied to the device also control the traffic across the tunnel? If so, then what Zone does the traffic show up as? Currently the device has an Inside and Outside zone defined.

Re: Policy Based IPSEC Tunnel With Firepower

MHM Cisco World — Fri, 19 Apr 2024 21:48:18 GMT

Control plane ACL effect only VPN outer header' i.e. it allow or not VPN between FTD and peer

ACP not effect traffic pass via vpn if you enable sysopt permit-vpn' But it effect if disable it.

There is option to tune filter the traffic pass via vpn va traffic filter

I think it appear in

Vpn topolgy > advanced > ipsec > filter

(Fmc)

MHM

Re: Policy Based IPSEC Tunnel With Firepower

TrashPanda — Fri, 19 Apr 2024 22:07:44 GMT

If the ACP is seeing the tunnel traffic then what is the source zone?

Re: Policy Based IPSEC Tunnel With Firepower

MHM Cisco World — Fri, 19 Apr 2024 22:12:00 GMT

if you want to config ACP then you need ACP for two direction
ACP Inside->Outside
ACP Outside->Inside

MHM

Re: Policy Based IPSEC Tunnel With Firepower

Marius Gunnerud — Sun, 21 Apr 2024 21:26:11 GMT

for inbound traffic from the remote VPN site you would have a source zone of the outside interface.