Solved: FTD Routing question

Ditter · ‎05-12-2024

Hi to all,

i am facing the following problem, please refer also to the png attached (i also have some information on the png attached).

An IPsec VPN 2811 router tries to establish an IPSec vpn with an FTD.

I have setup this config on the lab and i noticed the following:

When the router has as IPSec terminator IP address the FTD interface from which the FTD receives the default route for all network s everything works fine. This area 0 network is 192.168.2.0 and it is a fake network

But when i change the IPSec destination of the 2811 router to the real IP subnet of the FTD (suppose as an example here that it is 1.2.3.0/24) it does not work as FTD tries to create the VPN tunnel via the 192.168.2.0 network (the fake IP address that is on area 0).

The solution to this is to create a static route and point the remote ptp of the 2811 network via the 1.2.3.1 IP address (which is the "real" FTD IP address). Please note that the FTD also generates the 1.2.3.0/24 network in area 0.

The problem is that the final positioning for the 2811 will be at an ISP site as a dhcp client pointing to the 1.2.3.1 IP address of the FTD.

The DHCP address of the 2811 will also be not static as the provider gives out dynamic IPs.

So in this case i can not create static routes pointing in the real ip subnet of the FTD.

I hope i made the problem clear.

Any contributions more than welcome!

Thanks

Ditter.

Ditter · ‎05-12-2024

The last point is not clear to me. I mean the router marked as Internal at the upper right corner.

View solution in original post

MHM Cisco World · ‎05-12-2024

Is my thought correct about the positioning of the firewall as far as OSPF is concerned? I think I answer this Q even if other interface in ftd reachable to ISR via static or igp (ospf) you can not use it'

The only interface you can use it is the interface direct point to ISR.

Do show ip route in asa

You will see ISR use one egress interface this interface use for VPN.

Hope it clear

Thanks

MHM

View solution in original post

MHM Cisco World · ‎05-12-2024

First please close your previous post of ipsec vpn, it seem that my suggestion is correct about static route.

Now this new post can you more elaborate, especially if the intermediate router run NAT or not, and which IP you use for set peer in ISR router

MHM

Ditter · ‎05-12-2024

Thanks,

but what you mean to close the previous post? My previous post is the one with title "Creating a S2S VPN - protected networks via IP extended AC"

For this current post , the intermediate router is not doing any kind of NAT. On the ISR router imagine that for the successful attempt suppose for example that i use the 192.168.2.1 IP address of the FTD and for the failed attempt i use the 1.2.3.1 IP address of the FTD.

Thanks,

Ditter

MHM Cisco World · ‎05-12-2024

The IPsec VPN need to end in interface directly point to Peer.

I. E. FTD can establish IPsec VPN to ISR if 192.168.2.0 is pointing directly to ISP.

FTD and ASA not accepte any VPN pass through ftd/asa

I. E. The ISR is point by 192.168.2.0 and 1.2.3.1 is other interface of FTD.

So sorry that can not done in FTD/ASA

This can done in other cisco ios xe ios xr even you can use Loopback as ipsec vpn endpoint but for FW no we can not do same.

MHM

Ditter · ‎05-12-2024

Thanks, so it seems that in order to terminate an IPSec VPN from the internet on the FTD i have to erase the RFC1918 address space i use for it internally in my network and use only one real IP subnet for both purposes:

1. Backbone routing with the other routing devices in my network

2. VPN termination via exteral ISPs.

Correct?

Thanks,

Ditter

MHM Cisco World · ‎05-12-2024

You meaning remove 192.168.2.0 between FTD and Intermediate l3 device abd use 1.2.3.0?

If that what yoh meaning, then yes correct.

MHM

Ditter · ‎05-12-2024

So, as my other 4 backbone routers have created their main adjacency via area 0 via this RFC1918 network (192.168.2.0 network), i will have to remove the FTD from the area 0 and put it in another area , for example the area that covers the main site (as there is located the FTD) by using this 1.2.3.0 network in order to create an adjacency with the main backbone router that serves this main site.

Do you consider this as a correct approach or have you any other proposal?

Thanks again,

Ditter.

MHM Cisco World · ‎05-12-2024

I re-arrange the topolgy to be clear for me and you and other see the post
my topolgy is correct ? (for IP maybe it different)

I also make VPN work and not work according to IP use by FTD

Ditter · ‎05-12-2024

The last point is not clear to me. I mean the router marked as Internal at the upper right corner.

MHM Cisco World · ‎05-12-2024

Last point is any interface in ftd not interface point to ISR can not use for VPN even if there is reachability between this interface and ISR.

MHM

Ditter · ‎05-12-2024

@MHM Cisco World So what do you think about my above point? Is my thought correct about the positioning of the firewall as far as OSPF is concerned? Off course it depends on how the network is configured but as i said the topology is pretty much straight forward.

MHM Cisco World · ‎05-12-2024

Is my thought correct about the positioning of the firewall as far as OSPF is concerned? I think I answer this Q even if other interface in ftd reachable to ISR via static or igp (ospf) you can not use it'

The only interface you can use it is the interface direct point to ISR.

Do show ip route in asa

You will see ISR use one egress interface this interface use for VPN.

Hope it clear

Thanks

MHM

Ditter · ‎05-12-2024

Thanks a lot for your help.