https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5339131#M1123185 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a> what do you mean exactly? what did you envisage the ACL is used for?</P> Thu, 16 Oct 2025 13:12:38 GMT Rob Ingram 2025-10-16T13:12:38Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330452#M1122723 <P>Hi</P><P>Quick question, Is it possible to Configure a RB VPN on an FTD using a Loopback Interface.??</P><P>I ask because I have been requested to set up one but the thing is the peer IP I have to use my side is not one of the FTD Interface IP Addresses, Also is this the best way to achieve this or is there another way. ??</P><P>Thankyou</P> Tue, 16 Sep 2025 08:59:14 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330452#M1122723 benolyndav 2025-09-16T08:59:14Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330454#M1122724 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a>&nbsp;yes you can use a loopback on a route based VPN (VTI or DVTI)&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/vpn-s2s.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/vpn-s2s.html</A></P> <P>Loopback feature was introduced in version 7.3 -&nbsp;<A href="https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface" target="_blank">https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 16 Sep 2025 09:03:05 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330454#M1122724 Rob Ingram 2025-09-16T09:03:05Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330455#M1122725 <P><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/internet-security-association-key-management-protocol-isakmp/222055-configure-route-based-site-to-site-vpn-b.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/internet-security-association-key-management-protocol-isakmp/222055-configure-route-based-site-to-site-vpn-b.html</A></P> <P>Yes you can&nbsp;</P> <P>Check above link&nbsp;</P> <P>MHM</P> Tue, 16 Sep 2025 09:01:56 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330455#M1122725 MHM Cisco World 2025-09-16T09:01:56Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330853#M1122737 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;<BR />So excuse my ignorance but when creating a RB VPN its suggested to use the 169.x.x.x IP Addresses I have done these before without any issues,&nbsp; not sure how this works or needs configuring if I am to use a loopback address for the local&nbsp; RB VPN address.??</P><P>Thanks</P> Wed, 17 Sep 2025 08:34:56 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330853#M1122737 benolyndav 2025-09-17T08:34:56Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330855#M1122738 <P>Now give any IP to LO (unused IP) like 1.1.1.1&nbsp;</P> <P>Then check vti tunnel source can you select Lo as tunnel source?</P> <P>If Yes then it OK what you need is static route for Remote LO toward WAN interface&nbsp;</P> <P>If NOT then FMC/FTD not support LO as tunnel source&nbsp;</P> <P>MHM</P> Wed, 17 Sep 2025 08:43:23 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330855#M1122738 MHM Cisco World 2025-09-17T08:43:23Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330874#M1122740 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;</P><P>Thanks for that and yes I do see the Loopback available for the VTI, So because the IP Address I am using and the 3rd party will be peering with is not an Interface IP Address is this the only way I can do it ??</P><P>&nbsp;</P><P>Thanks</P> Wed, 17 Sep 2025 09:37:26 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330874#M1122740 benolyndav 2025-09-17T09:37:26Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330877#M1122741 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a>&nbsp;sounds like you need to use the loopback as the tunnel source rather than the interface IP address. You obviously have the correct IP address defined on the loopback.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RobIngram_0-1758102005004.png" style="width: 574px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/252013i35A877DB04FDEBCE/image-dimensions/574x224?v=v2" width="574" height="224" role="button" title="RobIngram_0-1758102005004.png" alt="RobIngram_0-1758102005004.png" /></span></P> <P>&nbsp;</P> Wed, 17 Sep 2025 09:41:29 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330877#M1122741 Rob Ingram 2025-09-17T09:41:29Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330878#M1122742 <P>Let summary&nbsp;</P> <P>VTI use WAN (public IP) as tunnel source' vti will be UP since public IP is reachable&nbsp;</P> <P>Vti using LO&nbsp; (as tunnel srouce) with any IP' if remote peer can not reach this IP vti will be down</P> <P>Note:-&nbsp; you can ONLY use LO as tunnel source.</P> Wed, 17 Sep 2025 09:53:27 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5330878#M1122742 MHM Cisco World 2025-09-17T09:53:27Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335059#M1122995 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;Yes I have selected that but what about the below what do I need to select for this please<BR />P.s sorry about the delayed response</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benolyndav_0-1759315402158.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/252842i4F7C39C507E6CE78/image-size/medium?v=v2&amp;px=400" role="button" title="benolyndav_0-1759315402158.png" alt="benolyndav_0-1759315402158.png" /></span></P><P>&nbsp;</P> Wed, 01 Oct 2025 10:44:28 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335059#M1122995 benolyndav 2025-10-01T10:44:28Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335060#M1122996 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a>&nbsp;the loopback interface can be used as either a tunnel source or a borrow source, but not both. So if you want to terminate the VPN on the loopback, select tunnel source only.</P> Wed, 01 Oct 2025 10:54:38 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335060#M1122996 Rob Ingram 2025-10-01T10:54:38Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335072#M1122997 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;So I need to use something from the below range for the VTI IP</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="benolyndav_0-1759317984640.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/252843i3C54C122C738C21A/image-size/medium?v=v2&amp;px=400" role="button" title="benolyndav_0-1759317984640.png" alt="benolyndav_0-1759317984640.png" /></span></P><P>&nbsp;</P> Wed, 01 Oct 2025 11:26:35 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335072#M1122997 benolyndav 2025-10-01T11:26:35Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335073#M1122998 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a>&nbsp;for the VTI tunnel IP address, I would typically&nbsp;personally use an IP address from the internal LAN network space. Personal choice though. It needs to be routed over the tunnel and unique.</P> Wed, 01 Oct 2025 11:30:02 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335073#M1122998 Rob Ingram 2025-10-01T11:30:02Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335685#M1123027 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;<BR />So if I use a 169.254.7.X/30 address for my vti and the loopback for the tunnel source, what do I point my static routes to for traffic going over the tunnel ??</P> Fri, 03 Oct 2025 13:41:28 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335685#M1123027 benolyndav 2025-10-03T13:41:28Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335690#M1123028 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a>&nbsp;You'd point the route to the peer's tunnel IP address in the&nbsp;169.254.7.X/30 network.</P> Fri, 03 Oct 2025 13:54:07 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335690#M1123028 Rob Ingram 2025-10-03T13:54:07Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335692#M1123029 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;They aren't using one in that range that's the thing .??</P> Fri, 03 Oct 2025 14:00:57 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335692#M1123029 benolyndav 2025-10-03T14:00:57Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335694#M1123030 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a>&nbsp;configure both tunnel interfaces (yours and the peers) in the same network, so they can communicate. Then create static routes (or use dynamic) for the local networks.</P> Fri, 03 Oct 2025 14:07:01 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5335694#M1123030 Rob Ingram 2025-10-03T14:07:01Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5338736#M1123165 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;Is it possible to use a NAT address has the peer IP address for RB/PB Site to Site VPNs at all on FTD??<BR />Thanks</P> Wed, 15 Oct 2025 09:22:03 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5338736#M1123165 benolyndav 2025-10-15T09:22:03Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5338747#M1123167 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a>&nbsp;do you mean you want to setup your VPN to peer with an IP address that's actually a NAT on the remote side? If so yes, assuming the NAT is configured correctly on the remote side to translate the NAT IP to the IP address of the firewall/router you wish to establish a tunnel to. You will need to ensure NAT Traversal is configured on both ends to detect that NAT.</P> Wed, 15 Oct 2025 09:28:21 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5338747#M1123167 Rob Ingram 2025-10-15T09:28:21Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5338833#M1123169 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;Hi so say I wanted the remote peer end to peer with an NAT IP Address of 192.175.125.23&nbsp; on my side&nbsp;<BR />how would I need my NAT setting up out and in&nbsp;<BR />so the remote peer is IP 205.190.190.1</P><P>and myside local peer that they need to peer with is NAT IP Address&nbsp;192.175.125.23&nbsp;</P> Wed, 15 Oct 2025 14:07:40 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5338833#M1123169 benolyndav 2025-10-15T14:07:40Z https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5338835#M1123170 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/445131">@benolyndav</a> the tunnel source should be a physical or loopback interface IP, so not I don't think that will work.&nbsp;Can you not assign that NAT IP as a loopback, and use that as the tunnel source?</P> Wed, 15 Oct 2025 14:13:00 GMT https://community.cisco.com/t5/network-security/ftd-site-to-site-vpn-question/m-p/5338835#M1123170 Rob Ingram 2025-10-15T14:13:00Z