I have an ASA 5516-X running the traditional ASA image which is working fine at the moment however I would like to replace it with FTD.
I've got another ASA 5516-X which is running the latest FTD image, we are managing this locally through FTD, we do not have an FMC.
Our ASA is the branch office end of an IKEv2 IPSec L2L to our HQ.
For augment's sake lets say:
Recently we have started using a cloud based transparent web proxy service using a second IPSec tunnel to direct HTTP and HTTPS traffic, with a NAT exemption, to the remote service.
On the ASA software this works fine with the selection of the correct local and remote protected networks, priority in the crypto maps. The HQ crypto map has the lowest priority (20) and the proxy has priority (60).
When initially setting up the second tunnel a warning is received about potential overlap but the advanced settings of the crypto map were changed to reflect the destination ports in the protected network and everything has been fine.
Now I'm running into problems trying to replicate this in FTD.
I have the HQ L2L set up fine as a IKEv2 IPSec with the same protected networks as above, however I cannot set up the cloud proxy L2L. When I try to replicate the configuration in the FTD GUI I just get a warning that the range overlaps with our HQ VPN and I cannot proceed any further. There is no option I can see to configure priorities for the tunnels or set specific destination ports for the remote protected networks to get this to work.
I also cannot see any way in FTD to specify a backup peer IP address, I tried comma separated but this is not accepted.
Does anyone have any advise or suggestions, can this even be achieved in FTD?
The only thing I could think of was specific destination protected network entries for the public internet facing ranges allocated by IANA but this would be a nightmare and also doesn't resolve the problem of only wanting to tunnel HTTP and HTTPS traffic down the second tunnel.
Thank you in advance
Solved! Go to Solution.
Thank you for the information Mohammed, that's a shame but we will have to look at another approach to this