Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
1
Helpful
5
Replies

IPsec tunnel with same phase 2 IP addresses

adity
Level 1
Level 1

‎09-25-2024 05:59 AM

Hi Team,

 

 I am stuck in one issue i would like to all please help me to resolve this issue......

I have cisco FTD 3105 model with version 7.3.1, from my firewall have configured 2 tunnels for different clients but the issue is both the clients have same Phase IP address and when I initiate the traffic from my end its getting conflict with crypto ACL.

Scenario :

Site A

Site B

Site C

 

172.16.1.0/24-----Site A -----Connect with site to site VPN------ Site B ----- Phase 2 IP subnet: 192.168.1.0/24

172.16.1.0/24-----Site A-----Connect with site to site VPN------ Site C------Phase 2 IP subnet: 192.168.1.0/24

 

 

 

0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎09-25-2024 06:35 AM

You need to make one site use different subnet or use NAT 

MHM

0 Helpful

Aref Alsouqi
VIP
VIP

‎09-25-2024 06:43 AM

I think you can fix that by creating static identity NAT rules on FTD one for each subnet. In each NAT rule you will define a new subnet ID for each of the remote subnets, let's say site B subnet will be 192.168.10.0/24 and site C subnet will be 192.168.20.0/24. Then each NAT rule will convert the new subnets to their original, 192.168.10.0/24 to 192.168.1.0/24 and 192.168.20.0/24 to 192.168.1.0/24. The crypto ACLs would need to use the new subnet IDs in this case. Alternatively, you can NAT the remote subnets on their remote firewalls, with this option, the incoming traffic will be seen by the FTD with the NAT'ed addresses, so there is no need to apply any NAT rule on the FTD apart from the normal NAT exemption rule.

0 Helpful

adity
Level 1
Level 1

‎09-25-2024 07:32 AM

We dont have control on Remote firewall, 172.16.1.0/24(Virtual IP address) is natted ip, remote side they will receive the traffic from this IP original IP 10.12.10.0/24

 

Aref Alsouqi
VIP
VIP
In response to adity

‎09-25-2024 08:08 AM

Yeah that is most likely the case but you could raise this with the remote firewalls teams asking them to NAT their subnets only for the the VPN tunnels with your business. Alternatively, you can sort this out creating NAT rules on your firewall, one would be enough but I would recommend creating two in this case.

0 Helpful

MHM Cisco World
VIP
VIP
In response to adity

‎09-25-2024 08:48 AM

Issue in remote peer and sorry it mandatory to make one remote peer do NAT for it LAN. 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card