Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
13
Helpful
25
Replies

FTD Site to Site VPN Question

benolyndav
Level 4
Level 4

‎09-16-2025 01:59 AM

Hi

Quick question, Is it possible to Configure a RB VPN on an FTD using a Loopback Interface.??

I ask because I have been requested to set up one but the thing is the peer IP I have to use my side is not one of the FTD Interface IP Addresses, Also is this the best way to achieve this or is there another way. ??

Thankyou

0 Helpful
25 Replies 25

Rob Ingram
VIP
VIP
In response to benolyndav

‎10-15-2025 02:28 AM

@benolyndav do you mean you want to setup your VPN to peer with an IP address that's actually a NAT on the remote side? If so yes, assuming the NAT is configured correctly on the remote side to translate the NAT IP to the IP address of the firewall/router you wish to establish a tunnel to. You will need to ensure NAT Traversal is configured on both ends to detect that NAT.

benolyndav
Level 4
Level 4
In response to Rob Ingram

‎10-15-2025 07:07 AM

@Rob Ingram Hi so say I wanted the remote peer end to peer with an NAT IP Address of 192.175.125.23  on my side 
how would I need my NAT setting up out and in 
so the remote peer is IP 205.190.190.1

and myside local peer that they need to peer with is NAT IP Address 192.175.125.23 

0 Helpful

Rob Ingram
VIP
VIP
In response to benolyndav

‎10-15-2025 07:13 AM

@benolyndav the tunnel source should be a physical or loopback interface IP, so not I don't think that will work. Can you not assign that NAT IP as a loopback, and use that as the tunnel source?

benolyndav
Level 4
Level 4
In response to Rob Ingram

‎10-16-2025 01:42 AM

@Rob Ingram Just found this where it says tunnel source has to be physical Interface 

benolyndav_0-1760604156666.png

 

0 Helpful

benolyndav
Level 4
Level 4
In response to Rob Ingram

‎10-16-2025 03:12 AM

@Rob Ingram Thanks for that, So i have used the borrow IP and selected the Loopback Interface I created, the tunnel source is now the physical Interface should the 3rd party be pointing to the Loopback Interface or the physical Interface IP address as their peer.??

Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to benolyndav

‎10-16-2025 03:22 AM

@benolyndav when you borrow the IP address from the loopback, that borrowed IP address is used on the tunnel interface. In your scenario now, the tunnel source is the phsyical IP address of the FTD's outside interface, that is the IP address the peer will attempt to establish a VPN tunnel to, not the loopback IP.

benolyndav
Level 4
Level 4
In response to Rob Ingram

‎10-16-2025 04:20 AM

@Rob Ingram Ah ok understood, Just had a thought would I need an ACL if using a Loopback as the source .??

0 Helpful

Rob Ingram
VIP
VIP
In response to benolyndav

‎10-16-2025 06:12 AM

@benolyndav what do you mean exactly? what did you envisage the ACL is used for?

0 Helpful

MHM Cisco World
VIP
VIP
In response to benolyndav

‎09-17-2025 02:42 AM - edited ‎09-17-2025 02:53 AM

Let summary 

VTI use WAN (public IP) as tunnel source' vti will be UP since public IP is reachable 

Vti using LO  (as tunnel srouce) with any IP' if remote peer can not reach this IP vti will be down

Note:-  you can ONLY use LO as tunnel source.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card