topic Re: IPsec VPN Configuration in Network Security

IPsec VPN Configuration

ajaque27 — Wed, 23 Oct 2024 23:23:19 GMT

Hello, I am trying to configure a IPsec VPN coming from 192.168.1.0/24. It is connected to and FTDv appliance on the inside interface whose IP is 192.168.1.253. The laptop IP is 192.168.1.10. The FTDv is connected to an ASAv running AnyConnect server and that is connected to another ASAv acting as a firewall. On the destination end is another laptop. I want to connect to the network of that laptop to test VPN functionality. Unfortuantely I am stuck and I cant seem to figure it out.

Re: IPsec VPN Configuration

balaji.bandi — Thu, 24 Oct 2024 07:32:37 GMT

As Long as you have VPN Established between Firewalls and you have interesting traffic allowed and routing in place that should work.

that is high level from what device to what device not working then need to trace the problem.

Re: IPsec VPN Configuration

Aref Alsouqi — Thu, 24 Oct 2024 08:55:35 GMT

Please share your sanitized configs of the three firewalls for review. Alternatively it would be difficult to trying to help here : D.

Re: IPsec VPN Configuration

ajaque27 — Fri, 25 Oct 2024 17:24:22 GMT

Here is the config for the ASAv AnyConnect Server. I think my issue is at the FTDv. I can't ping from the INSIDE interface to the OUTSIDE interface, which are two different subnets. I also attached screenshots of my static routes and policies on FTDv and an updated topology.

For the policies, I am essentially doing an any-any. I want to be able to ping across. In my topology, I am going from Right to Left.

Re: IPsec VPN Configuration

Aref Alsouqi — Fri, 25 Oct 2024 17:49:37 GMT

The AnyConnect ASA does not seem to have any routes configured. It must know where the remote subnets are located and how to route the traffic to them. If the Ubuntu subnet gets translated by the FTDv then you don't have to add a route for that subnet on the AnyConnect ASA but you still need a route to the VPN host subnet. Essentially all the firewalls need to have the correct routes configured to be able to route the traffic between the remote subnets.

Re: IPsec VPN Configuration

ajaque27 — Fri, 25 Oct 2024 17:54:04 GMT

Thank you for that! For that translation would I create a NAT policy to translate the Ubuntu network IP to the outside interface network?

Re: IPsec VPN Configuration

Aref Alsouqi — Mon, 28 Oct 2024 16:32:14 GMT

You're welcome. Translating the Ubuntu network into the outside interface IP address would be very common and we call this PAT. However, please keep in mind that NAT/PAT is not mandatory, so if you wish you can carry on with your lab without applying any NAT. In that case, a route needs to be added on the other two firewalls pointing to the FTDv to reach the Ubuntu network.

Re: IPsec VPN Configuration

MHM Cisco World — Mon, 28 Oct 2024 16:51:30 GMT

Use tunnelled GW in ASA that anyconnect user connect to.

In this case the ASA will have one default GW and other tunneled GW

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

Re: IPsec VPN Configuration

Cristian Matei — Mon, 28 Oct 2024 17:24:44 GMT

Hi,

What are the VPN tunnel endpoints? Is it the FTD and the ASA (which ASA?), or is it Anyconnect (from which PC) to which VPN gateway?

Best,

Cristian.