04-28-2024 08:57 AM - edited 04-28-2024 08:59 AM
Hi to all,
i was trying to find why the the vpn between an FTD and a cisco router could not come up and concluded to this:
When i create the S2S VPN PtP topology if i just add the protected networks, the tunnel does not come up.
For example if behind the FTD is the network 192.168.1.0/24 and behind the extranet cisco is the network 192.168.2.0/24 then if i add them in the protected network tab the ipsec vpn does not come up.
If instead i create an ACL with source any and destination the 192.168.2.0 and apply it to the FTD and also i create an ext. acl to allow traffic from 192.168.2.0 to any and apply it to the extranet node the tunnel finally comes up.
Any ideas why this is happening? I miss something but i can not see what it is.
Please refer to png attached in order to understand to what part of the gui i am referring to.
Thanks,
Ditter.
Solved! Go to Solution.
05-12-2024 05:13 AM
To not confuse you, I will ask here
Can you update me about this post
Thanks alot
MHM
04-28-2024 09:03 AM - edited 04-28-2024 09:53 AM
MHM
04-28-2024 09:04 AM - edited 04-28-2024 09:54 AM
MHM
04-28-2024 09:50 AM
The router is an 2821 with 15.1(4)M10 and the FTD runs 7.2.5.
Btw i am trying with IKE v1 , not IKEv2.
04-28-2024 10:02 AM
In both Side config route for remote LAN' and then use subnet network and check
MHM
04-28-2024 09:53 AM
@Ditter do you have a NAT exemption rule to ensure the traffic between 192.168.1.0/24 and 192.168.2.0/24 is not unintentially translated?
04-28-2024 11:11 AM
There is no NAT rule at this phase. I will add it later to the config.
What i noticed is the following: If i put on the FTD side as protected network the "any" keyword instead of a specific protected subnet it works ! So in this case i have configured in the GUI of the FMC the protected network for the cisco 2821 side as the 192.168.2.0/24 and any in the FTD side and the VPN started to work.
Thanks,
Ditter.
04-28-2024 11:15 AM
@Ditter yes I understand what you've configured. If there is no NAT exemption rule traffic will not come from the original source, it will come from the translated IP address, which would match "any" in the crypto ACL.
Apply NAT exemption rule on both sides to make sure traffic is no unintentially translated.
05-12-2024 05:13 AM
To not confuse you, I will ask here
Can you update me about this post
Thanks alot
MHM
05-12-2024 07:54 AM
Thanks @MHM Cisco World , as the FTD does not permit VPN traffic to pass through the device , static route should be created in FTD in order to permit traffic to be sent to the appropriate interface where the VPN is created.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide