Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
3
Helpful
7
Replies

IPSec VPN between C.2811 and Firepower with only Real IP addresses

Go to solution
Ditter
Level 4
Level 4

‎10-04-2024 05:36 AM

Hi to all,

i am facing an issue with the following scenario:

A cisco 2811 successfully starts IPSec VPN with an FTD.

Behind cisco 2811 exists a real subnet and i am able to ping between this real subnet and all other Real IP subnets that are routed from the FTD.

I have no need of using RFC1918 IP addressing, therefore no NAT exists in the 2811 side and no NAT exists in the FTD side. 

The problem is that i can not ping anything else that is outside the FTD routing domain , that is other subnets that are routed by another router with which the FTD has ospf connectivity. 

In addition, from the real subnet behind the 2811 i can not get to Internet (for example ping 8.8.8.8).

FTD has full connectivity with other routers within our domain as well as to the internet through default route (last resort) that it receives from our upstream router.

I am sure i miss something but i do not know what it is.

I wouldn't believe that the FTD translates everything by default to its outside interface , because according to whatismyip.com i can see my real IP address and not the real outside IP address of the FTD.

Any ideas on this?

Thanks,

Ditter.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Ditter

‎10-07-2024 04:51 AM - edited ‎10-07-2024 05:33 AM

Did you check topolgy I shared 

R2 In my topolgy is same as router ftd behind it in your topogly.

R2 need to have NAT of LAN client router.

Also you need to make R2 have route for client router LAN toward FTD for retrun back traffic' you can use static route.

MHM

View solution in original post

7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎10-04-2024 07:08 AM

First policy based vpn is not good here use route based vpn vti.

Then make ftd push defualt route to Cisco router' hence router will use vti to access internet.

In ftd config NAT out'out cisco router lan will nating to ftd out interface IP.

""The problem is that i can not ping anything else that is outside the FTD routing domain , that is other subnets that are routed by another router with which the FTD has ospf connectivity. ""

This part I dont get it 

MHM

Go to solution
Ditter
Level 4
Level 4
In response to MHM Cisco World

‎10-06-2024 08:09 AM

Thank you @MHM, but in my case the cisco router 2811 is Metro Ethernet based and with a dynamic IP provided by the ISP.   As i recall (and checked it again) VTI can not be applied to my case as VTI currently is supported only with static WAN ip addresses.

 

What i did was to apply a dynamic crypto map with "any" as subnets protected and it also works, therefore i will stick to this. 

But my problem remains, that is , although i can successfully connect from the remote site to every subnet that is routed by the FTD , i do not have  Internet connectivity.  

What i do not know is if the FTD tries by default to do NAT for all networks that are not routed internally from the FTD and have to go through the outside interface.

So far i have not created any NAT route and the only rules a see in NAT section are the identity NAT rules created automatically by this version of the FMC (7.4.2-172), nice addition to the previous version i had 7.2.8-25.

Any advise of how i can have connectivity to Internet without being NATed from the FTD, as i use Internet IP Addresses (no RFC1918).

Thanks,

Ditter

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Ditter

‎10-07-2024 12:37 AM

this your netwrok

MHM

VPN NAT issue.png

0 Helpful

Go to solution
Ditter
Level 4
Level 4

‎10-07-2024 04:33 AM - edited ‎10-07-2024 04:36 AM

Hi @MHM Cisco World 

please refer to the attached drawing.

As mentioned i can ping all networks routed from the FTD , but none outside the Firewall , no NAT is present in the Firewall except from the Identity NAT rules that were automatically inserted in the NAT table  (that happened due to my upgrade to 7.4.2-172).

In the Access Control Policy i have a rule permitting traffic coming from outside going to outside and the source is real IP address space behind the 2811 and going everywhere  but no matches in hit counters therefore i do not hit this ACL entry.

Nowhere in my network i do NAT for the real subnets.

But still not able to go anywhere except from inside the firewall.

Thanks

Ditter.

Preview file
53 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Ditter

‎10-07-2024 04:51 AM - edited ‎10-07-2024 05:33 AM

Did you check topolgy I shared 

R2 In my topolgy is same as router ftd behind it in your topogly.

R2 need to have NAT of LAN client router.

Also you need to make R2 have route for client router LAN toward FTD for retrun back traffic' you can use static route.

MHM

Go to solution
ahollifield
VIP
VIP

‎10-07-2024 05:29 AM

Why are we using a 2811 in 2024?

0 Helpful

Go to solution
Ditter
Level 4
Level 4

‎10-07-2024 06:03 AM

Thanks @MHM Cisco World updated our routers with the appropriate routes and now everything worked.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card