Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
0
Helpful
8
Replies

IPsec VPN Configuration

ajaque27
Level 1
Level 1

‎10-23-2024 04:23 PM

Hello, I am trying to configure a IPsec VPN coming from 192.168.1.0/24. It is connected to and FTDv appliance on the inside interface whose IP is 192.168.1.253. The laptop IP is 192.168.1.10. The FTDv is connected to an ASAv running AnyConnect server and that is connected to another ASAv acting as a firewall. On the destination end is another laptop. I want to connect to the network of that laptop to test VPN functionality. Unfortuantely I am stuck and I cant seem to figure it out. Screenshot 2024-10-23 172126.png

0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎10-24-2024 12:32 AM

As Long as you have VPN Established between Firewalls and you have interesting traffic allowed and routing in place that should work.

that is high level from what device to what device not working then need to trace the problem.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-24-2024 01:55 AM - edited ‎10-24-2024 01:55 AM

Please share your sanitized configs of the three firewalls for review. Alternatively it would be difficult to trying to help here : D.

0 Helpful

ajaque27
Level 1
Level 1
In response to Aref Alsouqi

‎10-25-2024 10:24 AM

Here is the config for the ASAv AnyConnect Server. I think my issue is at the FTDv. I can't ping from the INSIDE interface to the OUTSIDE interface, which are two different subnets. I also attached screenshots of my static routes and policies on FTDv and an updated topology.

For the policies, I am essentially doing an any-any. I want to be able to ping across. In my topology, I am going from Right to Left. 

Preview file
20 KB
Preview file
64 KB
Preview file
94 KB
Preview file
57 KB
0 Helpful

Aref Alsouqi
VIP
VIP
In response to ajaque27

‎10-25-2024 10:47 AM - edited ‎10-25-2024 10:49 AM

The AnyConnect ASA does not seem to have any routes configured. It must know where the remote subnets are located and how to route the traffic to them. If the Ubuntu subnet gets translated by the FTDv then you don't have to add a route for that subnet on the AnyConnect ASA but you still need a route to the VPN host subnet. Essentially all the firewalls need to have the correct routes configured to be able to route the traffic between the remote subnets.

0 Helpful

ajaque27
Level 1
Level 1
In response to Aref Alsouqi

‎10-25-2024 10:54 AM

Thank you for that! For that translation would I create a NAT policy to translate the Ubuntu network IP to the outside interface network?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to ajaque27

‎10-28-2024 09:32 AM

You're welcome. Translating the Ubuntu network into the outside interface IP address would be very common and we call this PAT. However, please keep in mind that NAT/PAT is not mandatory, so if you wish you can carry on with your lab without applying any NAT. In that case, a route needs to be added on the other two firewalls pointing to the FTDv to reach the Ubuntu network.

0 Helpful

MHM Cisco World
VIP
VIP

‎10-28-2024 09:51 AM

Use tunnelled GW in ASA that anyconnect user connect to.

In this case the ASA will have one default GW and other tunneled GW

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎10-28-2024 10:24 AM

Hi,

  What are the VPN tunnel endpoints? Is it the FTD and the ASA (which ASA?), or is it Anyconnect (from which PC) to which VPN gateway?

Best,

Cristian.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card