cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
897
Views
7
Helpful
10
Replies

FTD Route Based VPN

benolyndav
Level 4
Level 4

Hi We have to configure a RB VPN and am wondering if I add the new VTI Interface to The exsisting outside security group or do I have to create a new security group, the outsdide Security group has the Internet facing Interfaces in it.??

Thanks

 

10 Replies 10

VTI interface need to put in different zone secuirty than tunnel source of VTI

This give you more control of traffic pass through vti

MHM

Hi @benolyndav 

Adding a VTI to a Security Zone is optional. I'd recommend you configure a VTI in a unique Security Zone, you can then control traffic over the VPN tunnel using the Security Zone in the Access Control policy, this allows you to distinguish between VPN traffic and cleartext traffic.

Hi @Rob Ingram 

Ok makes sense,  So now when traffic is soutced from Inside Interface and needs to go through the VTI then I would not say Inside to Outside anymore it would be Inside to VTI and through the tunnel.?
Also my Nat rule would now be Inside to VTI and Outside to VTI, rather than Inside to Outside and Outside to Inside for other traffic.?

for the static routes would | i now say the gateway for the remote subnet is the remote VTI peer IP Address. ??
Thanks

@benolyndav correct.

You cannot write NAT rules for a Virtual Tunnel Interface (VTI), which are used in site-to-site VPN. Writing rules for the VTI's source interface will not apply NAT to the VPN tunnel. To write NAT rules that will apply to VPN traffic tunneled on a VTI, you must use "any" as the interface; you cannot explicitly specify interface names.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-nat.html

Yes, for routing use the VTI tunnel IP address as the next hop or using a routing protocol.

Hi @Rob Ingram 
Would that be any to  any or    any to Outside in Nar rule ??

 

Thanks

@benolyndav EDIT: actually INSIDE to any. Ingress through the inside interface, egress via the Tunnel interface - NAT rules are bi-directional. Be as specific as possible in your NAT rule in regard to source/destination networks.

Hi @Rob Ingram 
Am I ok to DM You.??

Thanks

You can not use nameif of VTI in NAT' that separate from zone secuirty' you can use ""any"" instead

For static route 

The VTI tunnel IP of peer is use as next-hop not VTI tunnel IP of fpr.

Keep in minde that vti tunnel appear as direct connect link from fpr view.

MHM

NAT will be 

INSIDE to ANY <- if traffic is NAT to VTI interface 

MHM

Review Cisco Networking for a $25 gift card