Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2044
Views
0
Helpful
3
Replies

Firepower_Migration_Tool | Crypto S2S on FTD | ACL configuration

Go to solution
najarian
Level 1
Level 1

‎10-07-2020 07:58 AM

Hi, 

Question-1 i migrated my 5516-x to FTD: 1140 and I had about 87 S2S tunnels, but none of them migrated by Tools.
so, please confirm I should follow instructions in cisco and configure Manually right?

Question 2: in the ASA configuration, First: I have 2 ACL type: 1 under Crypto command like :
crypto map ipsec_outside 50 match address ipsec_TUNNEL1 ( which is the network I want to protect )
Second: I have ACL under Group-Policy ( VPN Filter) Configuration: like :
group-policy policy_toyota-bank attributes
VPN-filter value acl_toyota-bank
(to restrict Port number accessibility from the remote side)

I know that I should write Extended ACLs under Object management> Extended ACL first, and use it for VPN configuration on FMC in Node (B) section.

but the question is: how should I use BOTH ACLs under site-2-site communication? is that possible to combine it? ( we have no command of ''tunnel-group X.X.X.X general-attributes'' to bind ACL like Vpn-Filter in ASA)!
should I use Flex-config or I can write Extended ACL (a combination of 2 ACLs above) and assign it under Node-B network protection?

Thanks in advance,

Respectfully yours,
Ashkan

Mohammad najarian
CCIE #65604
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-08-2020 12:28 AM

Yes, you would build the new VPN topologies, add the SRC (your local networks) and DST (the remote networks) - this defines the interesting traffic to be encrypted over the VPN tunnel.

 

Yes, the configuration of your existing VPN Filter on the ASA would need to be re-writing within the ACP applied to the FTD

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎10-07-2020 08:05 AM

Hi @najarian 

Correct, I don't believe the FMT currently migrates VPN tunnels, so unfortunately you'd have to migrate manually.

 

On FTD you would configure firewall rules in the ACP (Access Control Policy) to determine which traffic should or should not be permitted over the VPN tunnel.

 

HTH

0 Helpful

Go to solution
najarian
Level 1
Level 1
In response to Rob Ingram

‎10-08-2020 12:14 AM - edited ‎10-08-2020 12:15 AM

Hello Rob,

 

as i understand, i should just add SRC/DST networks in the NODEs information section in S2S configuration on FMC and i should migrate ''VPN-Filter ACLs on ASA '' in the (Access Control Policy). would you please confirm?

 

regards

Ashkan

Mohammad najarian
CCIE #65604
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-08-2020 12:28 AM

Yes, you would build the new VPN topologies, add the SRC (your local networks) and DST (the remote networks) - this defines the interesting traffic to be encrypted over the VPN tunnel.

 

Yes, the configuration of your existing VPN Filter on the ASA would need to be re-writing within the ACP applied to the FTD

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card