cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4459
Views
5
Helpful
8
Replies

FMC (PPPOE) to FTD (PPPOE) site to site vpn

diogo_1203
Level 1
Level 1

Hello guys,

 

Is it possible to make a vpn site to site the FMC (dynamic ip PPPoE) to FTD (dynamic ip PPPoE)?

 

Thanks....

1 Accepted Solution

Accepted Solutions

Hi diogo,

 

sry for the late response, been busy at work.

 

As u mentioned by yourself u can't use FTD with FDM on Site B because it doesnt support PPPoE. So install an FMC in Site B.

 

The real problem is, that u have to configure a Site To Site VPN under Devices, where u can add vpn (firepower threat defense device) and choose point to point and under node B Extranet where u have to add an ip address. See the Problem? u cant use an dns and the endpoint on the other site gets an ip via pppoe, so it can change on every reconnect via isp.

 

In other words your config wont work if site A and site B dont have static ip addresses.

View solution in original post

8 Replies 8

shaps
Level 3
Level 3
Hi
Not sure about the specifics of the Firepower config, however I dont see a reason why you cannot, the only limitation is the IP may change but this can be addressed by using DDNS.

Hello Shaps,

 

I am not able to configure the interface by CLI or FDM so that it receives PPPoE from the ISP, in the beginning it is a limitation of the equipment.

 

Thanks

Nico.Sauerbrey
Level 1
Level 1

Hi diogo,

 

not sure if i understand your problem.

 

do you mean u have a ftd managed by an FMC on SiteA and one standalone ftd (probable managed by FDM) on SiteB?

 

in this case u wont be able to configure PPPoE on the FDM, so this wont work (You cannot configure PPPoE for IPv4. If the Internet interface is connected to a DSL, cable modem, or other connection to your ISP, and your ISP uses PPPoE to provide your IP address, you must use Firepower Management Center to configure these settin...).

 

the FMC is a management-vm or physical appliance and its only usecase is to adminstrate FTD-Sensors. The FMC itself doesnt establish site2site-vpns or have a pppoe-config on its mgmt-interface.

Hello Nico,

 

I'll try to explain it better. Attached is my topology.

 

In site A I have an ASA5506 with FTD being managed by the FMC, the FTD Outside interface is connected to the router R042 which in turn performs the NAT. The RV042 fa0 / 1 interface receives the ip address via PPPoE from the ISP.

In site B I have an ASA5506 with FTD being managed locally by FDM, the FTD Outside interface needs to receive the ip address via PPPoE from the ISP, but I could not do it by CLI or FDM, according to the Cisco documentation, this does not it's possible.

I need the FTD on site B to receive the ISP's PPPoE address, manage the FTD via FMC on site A, and after all this will still close a site-to-site VPN between site FTD A and site FTD B.

With pure ASA5506 I can make the VPN site-to-site with both sites receiving IP via PPPoE, but I can not use this scenario as a definitive solution. I need it to work with the FTDs being managed by the FMC on site A.

Thanks Nico!

Hi diogo,

 

sry for the late response, been busy at work.

 

As u mentioned by yourself u can't use FTD with FDM on Site B because it doesnt support PPPoE. So install an FMC in Site B.

 

The real problem is, that u have to configure a Site To Site VPN under Devices, where u can add vpn (firepower threat defense device) and choose point to point and under node B Extranet where u have to add an ip address. See the Problem? u cant use an dns and the endpoint on the other site gets an ip via pppoe, so it can change on every reconnect via isp.

 

In other words your config wont work if site A and site B dont have static ip addresses.

Hi Nico,

 

yes, I saw that it will not be possible to configure the way the ASA appliances are today.

 

Thanks for the answer.

Abheesh Kumar
VIP Alumni
VIP Alumni
Hi,
Can you brief your setup...???

Hi Abheesh,

 

I have not done any PPPoE configuration yet, as there is no option for this in FDM or CLI.

 

I'm looking for alternatives, in the comment above I put the topology and gave a summary about it.

 

Thanks.

Review Cisco Networking for a $25 gift card