01-21-2020 09:14 AM
Hello,
I have a query regarding IPsec VPN setup. We are configuring IPsec VPN between two nodes, details are given below -
Node A - Check Point Firewall Node B - Cisco Firepower Threat Defense
Node A - VPN Initiator Node B - VPN Responder
Source IP - 2.2.2.2/32 Destination IP/Subnet - 10.10.10.0/24 and 10.10.20.0/24
So the VPN is up and traffic flows between 2.2.2.2/32 and 10.10.10.0/24 however another subnet 10.10.20.0/24 is conflicting in the customer premises i.e. Node A side. This subnet is necessary since it has multiple servers but to the conflict, customer is not able to access this IP range.
Can someone please assist what is the best possible solution for this issue ? apart from NATing at Node -B.
01-21-2020 09:59 AM
Is the nat exemption (identity nat) is applied on both side? make sure the ACL (cryptomap ) are identical on both side. you can do a packet tracer on the FTD and show us the output
01-21-2020 10:48 AM
Hello Sir,
Identity NAT/Exception is not applied. Issue is that, source IP 2.2.2.2/32 can reach destination 10.10.10.0/24 whereas it cannot reach another destination subnet 10.10.20.0/24 because 10.10.20.0/24 is already being used in the customer end i.e. Node A end so when they initiate traffic for second subnet it is getting routed somewhere else other than IPsec VPN.
01-21-2020 11:10 AM
is 10.20 behind FTD directly connected or there is a layer3 device between the FTD and 10.20 network.
01-22-2020 02:55 AM
Hello sir,
The 10.10.20.0/24 network is not directly connected to FTD. There is a Layer 3 device.
<------ (VPN)FTD ----- Nexus 5k ----- 10.10.20.0/24
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide