cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
501
Views
1
Helpful
4
Replies

Created a Route Based IPSEC Tunnel on Cisco FTD 2140

ccna_don
Level 1
Level 1

I have a Cisco FTD 2140 Secure Firewall that I am trying to build a route based IPSEC tunnel using VTI's. The vendor needs my proxy ID or encryption domain to be presented as a public IP address. So my WAN IP is obviously public but my internal network needs to be defined as a public IP. I figured only the two sites would be able to see these encryption domains so I was thinking of just creating a virtual IP to put on the VTI interface and then a static route to send the interesting traffic through that tunnel. I tried using an available IP that we have on our /27 circuit but the FTD chirped saying the VTI could not have the IP that overlaps the outside interface range. I hope this makes sense. 

4 Replies 4

tvotna
Spotlight
Spotlight

Yes it does. Subnets should not overlap. You can try to configure PAT for your traffic which needs to be sent over VPN, but this might be a bit complicated, because VTI "nameif" cannot be used in NAT configuration (defect CSCvm78941 ENH: Ability to configure NAT for VTI interface). There are rumors that NAT can work on VTI if "any" is used instead of VTI "nameif", but I didn't test this scenario personally. The NAT should be configured as policy NAT, i.e. should take "destination" into consideration, to not interfere with Internet access.

 

 

VTI have same subnet of WAN interface sure it overlapping.

For you case can you more elaborate 

MHM

I have to NAT my local subnet so that the remote side is presented with public address on an ipsec tunnel. I have the option to use a route based or a policy based tunnel as long as the encryption domain is using public IP. I have one set of IP addresses on a /27. I was thinking of creating a route-based tunnel and assigning a public IP address I made up on that VTI. Figure since it doesn't matter because the internet would never "see" it since it's tunneled. I'd then create a static route sending remote destination traffic to this VTI. Could this work?

I think your VPN peer will request you to configure either route-based or policy-based VPN. For policy-based VPN it is definitely possible to configure policy NAT or PAT on your side and hide your private address space behind a single NAT IP address or few NAT IPs. These IPs can be public and taken from your /27 subnet if they are not used for Internet access. For route-based VPN NAT needs to be tested, as I mentioned earlier. In case of route-based VPN the IP address assigned to the VTI interface doesn't matter much, so long as you agree on this IP address with your peer to configure routing. The corresponding subnet is typically assigned from a private address space (no need to waste yet another public IP here).

 

Review Cisco Networking for a $25 gift card