Re: Cannot VPN through a Cisco Firepower 1010

MSakr · ‎06-04-2021

Hi

I have a 1010 Firepower on the edge with 2 S2S VPN connections established on it.

Now when I try to connect from a client inside of the 1010 to a VPN Gateway on the internet, it is not going through, any hints on where to troubleshoot? as these devices are limited in that

Thank you

Marvin Rhoads · ‎06-04-2021

I've seen this at time when the internal system needed to use IPsec and the udp/500 ports were already in use by the firewall interface that terminates the other IPsec tunnels. One solution is to use a static NAT for that client so that it has it's own public IP. Another is to see if it can negotiate with the distant end using udp/4500 (NAT-Traversal).

MSakr · ‎06-06-2021

Hi Marvin

This is what I thought initially that the same port might be used.

I was thinking to assign another public IP for the S2S tunnels or another IP for the public interface , whichever might be feasible on 1010 or easier.. your thoughts if it is possible? as I cannot change the peer VPN GW,

Marvin Rhoads · ‎06-06-2021

Site to site tunnels terminating on the FTD device must use the interface address.

You can verify the active ones are using the port connection with "show conn | i 500".