topic Re: FTD Route Based VPN in Network Security

FTD Route Based VPN

benolyndav — Fri, 03 May 2024 10:39:51 GMT

Hi We have to configure a RB VPN and am wondering if I add the new VTI Interface to The exsisting outside security group or do I have to create a new security group, the outsdide Security group has the Internet facing Interfaces in it.??

Thanks

Re: FTD Route Based VPN

MHM Cisco World — Fri, 03 May 2024 10:51:00 GMT

VTI interface need to put in different zone secuirty than tunnel source of VTI

This give you more control of traffic pass through vti

MHM

Re: FTD Route Based VPN

Rob Ingram — Fri, 03 May 2024 17:56:22 GMT

Hi @benolyndav

Adding a VTI to a Security Zone is optional. I'd recommend you configure a VTI in a unique Security Zone, you can then control traffic over the VPN tunnel using the Security Zone in the Access Control policy, this allows you to distinguish between VPN traffic and cleartext traffic.

Re: FTD Route Based VPN

benolyndav — Sat, 04 May 2024 14:46:41 GMT

Hi @Rob Ingram

Ok makes sense, So now when traffic is soutced from Inside Interface and needs to go through the VTI then I would not say Inside to Outside anymore it would be Inside to VTI and through the tunnel.?
Also my Nat rule would now be Inside to VTI and Outside to VTI, rather than Inside to Outside and Outside to Inside for other traffic.?

for the static routes would | i now say the gateway for the remote subnet is the remote VTI peer IP Address. ??
Thanks

Re: FTD Route Based VPN

Rob Ingram — Sat, 04 May 2024 15:14:02 GMT

@benolyndav correct.

You cannot write NAT rules for a Virtual Tunnel Interface (VTI), which are used in site-to-site VPN. Writing rules for the VTI's source interface will not apply NAT to the VPN tunnel. To write NAT rules that will apply to VPN traffic tunneled on a VTI, you must use "any" as the interface; you cannot explicitly specify interface names.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-nat.html

Yes, for routing use the VTI tunnel IP address as the next hop or using a routing protocol.

Re: FTD Route Based VPN

MHM Cisco World — Sat, 04 May 2024 16:47:06 GMT

You can not use nameif of VTI in NAT' that separate from zone secuirty' you can use ""any"" instead

For static route

The VTI tunnel IP of peer is use as next-hop not VTI tunnel IP of fpr.

Keep in minde that vti tunnel appear as direct connect link from fpr view.

MHM

Re: FTD Route Based VPN

benolyndav — Tue, 07 May 2024 08:43:16 GMT

Hi @Rob Ingram
Would that be any to any or any to Outside in Nar rule ??

Thanks

Re: FTD Route Based VPN

Rob Ingram — Tue, 07 May 2024 14:08:41 GMT

@benolyndav EDIT: actually INSIDE to any. Ingress through the inside interface, egress via the Tunnel interface - NAT rules are bi-directional. Be as specific as possible in your NAT rule in regard to source/destination networks.

Re: FTD Route Based VPN

MHM Cisco World — Tue, 07 May 2024 13:59:39 GMT

NAT will be

INSIDE to ANY <- if traffic is NAT to VTI interface

MHM

Re: FTD Route Based VPN

benolyndav — Wed, 08 May 2024 18:37:26 GMT

Hi @Rob Ingram
Am I ok to DM You.??

Thanks

Re: FTD Route Based VPN

Rob Ingram — Wed, 08 May 2024 18:39:51 GMT

@benolyndav sure.