topic Re: Creating a S2S VPN - protected networks via IP extended ACL in Network Security

Creating a S2S VPN - protected networks via IP extended ACL

Ditter — Sun, 28 Apr 2024 15:59:45 GMT

Hi to all,

i was trying to find why the the vpn between an FTD and a cisco router could not come up and concluded to this:

When i create the S2S VPN PtP topology if i just add the protected networks, the tunnel does not come up.

For example if behind the FTD is the network 192.168.1.0/24 and behind the extranet cisco is the network 192.168.2.0/24 then if i add them in the protected network tab the ipsec vpn does not come up.

If instead i create an ACL with source any and destination the 192.168.2.0 and apply it to the FTD and also i create an ext. acl to allow traffic from 192.168.2.0 to any and apply it to the extranet node the tunnel finally comes up.

Any ideas why this is happening? I miss something but i can not see what it is.

Please refer to png attached in order to understand to what part of the gui i am referring to.

Thanks,

Ditter.

Re: Creating a S2S VPN - protected networks via IP extended ACL

MHM Cisco World — Sun, 28 Apr 2024 16:53:38 GMT

MHM

Re: Creating a S2S VPN - protected networks via IP extended ACL

MHM Cisco World — Sun, 28 Apr 2024 16:54:05 GMT

MHM

Re: Creating a S2S VPN - protected networks via IP extended ACL

Ditter — Sun, 28 Apr 2024 16:50:14 GMT

The router is an 2821 with 15.1(4)M10 and the FTD runs 7.2.5.

Btw i am trying with IKE v1 , not IKEv2.

Re: Creating a S2S VPN - protected networks via IP extended ACL

Rob Ingram — Sun, 28 Apr 2024 16:53:06 GMT

@Ditter do you have a NAT exemption rule to ensure the traffic between 192.168.1.0/24 and 192.168.2.0/24 is not unintentially translated?

Re: Creating a S2S VPN - protected networks via IP extended ACL

MHM Cisco World — Sun, 28 Apr 2024 17:02:44 GMT

In both Side config route for remote LAN' and then use subnet network and check

MHM

Re: Creating a S2S VPN - protected networks via IP extended ACL

Ditter — Sun, 28 Apr 2024 18:11:41 GMT

@MHM Cisco World

There is no NAT rule at this phase. I will add it later to the config.

What i noticed is the following: If i put on the FTD side as protected network the "any" keyword instead of a specific protected subnet it works ! So in this case i have configured in the GUI of the FMC the protected network for the cisco 2821 side as the 192.168.2.0/24 and any in the FTD side and the VPN started to work.

Thanks,

Ditter.

Re: Creating a S2S VPN - protected networks via IP extended ACL

Rob Ingram — Sun, 28 Apr 2024 18:15:00 GMT

@Ditter yes I understand what you've configured. If there is no NAT exemption rule traffic will not come from the original source, it will come from the translated IP address, which would match "any" in the crypto ACL.

Apply NAT exemption rule on both sides to make sure traffic is no unintentially translated.

Re: Creating a S2S VPN - protected networks via IP extended ACL

MHM Cisco World — Sun, 12 May 2024 12:13:57 GMT

To not confuse you, I will ask here

Can you update me about this post

Thanks alot

MHM

Re: Creating a S2S VPN - protected networks via IP extended ACL

Ditter — Sun, 12 May 2024 14:54:10 GMT

Thanks @MHM Cisco World , as the FTD does not permit VPN traffic to pass through the device , static route should be created in FTD in order to permit traffic to be sent to the appropriate interface where the VPN is created.