Solved: FTD VPn Question

benolyndav · ‎10-03-2023

Hi

We have an FTD with Global and 3 Virtual Routers(vrf) configured on it all these use the same default route via Global Inet connection,

Is it possible for me to esatablish a VPN from the Inet facing Interface and allow only one VRF's traffic across the VPN, So basically this VRF would now send all its traffic via the VPN.??

Thanks

Rob Ingram · ‎10-03-2023

@benolyndav so if the VPN is in the global routing table, then routing leaking from a user-defined vrf should work.

I assumed you wanted to use user-defined VRF for VPNs, which is not supported unless using a VTI (on newer FTD versions).

View solution in original post

Rob Ingram · ‎10-03-2023

@benolyndav what version of FTD are you using? Are you using a Policy or Route Based VPN (VTI)?

The latest version 7.3/7.4 supports user-defined virtual routers (VRFs) for VTIs

benolyndav · ‎10-03-2023

Hi

We are using Policy Based VPN

Thanks

Rob Ingram · ‎10-03-2023

@benolyndav unfortunately I do not believe virtual routers (VRF) are supported using policy based VPNs, only routed based VPN (VTI) appear to support VRF.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html

benolyndav · ‎10-03-2023

Hi

So the vpn is between the outside interface and the 3rd party peer the outside interface is in the gloal routing I would add the traffic to the vpn and add a static route in the vrf any-ipv4 to internet which is leaked from global, are you saying that wouldnt work ??

Thanks

Rob Ingram · ‎10-03-2023

@benolyndav so if the VPN is in the global routing table, then routing leaking from a user-defined vrf should work.

I assumed you wanted to use user-defined VRF for VPNs, which is not supported unless using a VTI (on newer FTD versions).

MHM Cisco World · ‎10-03-2023

Friend it work use pbr and forward traffic via vpn.

Did you check this solution?