09-05-2018 03:55 AM - edited 02-21-2020 08:11 AM
I have an issue whereby I am migrating Juniper SSG firewalls that have multiple VPNs to Cisco FTD running FTD 6.2.3 software (Not ASA).
The problem is the Juniper SSG's terminate all the s2s VPN's on a loopback interface but the ASA cannot do this. As a workaround I thought to just add another physical interface on the FTD and use a /30 IP address which includes the old loopback; then just statically route towards the remote VPN's peer & proxy ID's via this extra interface. The problem is the ISP router has no free interfaces. I also suggested using sub interfaces between the FTD and the ISP router but that was also a no go. Oh and the other thing there are too many S2S VPN's for all the remote sides to change the peer address.
Does anyone know of any other way I can achieve this, In a lab I have tried creating a NAT entry that NAT's the loopback address to the outside interface address (That VPNs terminate on), as follows:
nat (outside,outside) source static REAL_VPN_INTF NATTED_VPN_INTF
I then put a static towards the NAT/loopback address on the "ISP" router but no joy, only that the NATTED address appeared in the ARP cache on the router; having not messed about with NAT that much to "fudge" things I have probably done this wrong.
Any help would be useful.
09-05-2018 03:59 AM
Typically if you have an ASA with a public IP address on its outside IP address. the remote end of the VPN uses that public IP address as the VPN Peer address. have you tried this, or is there any reason this is not possible in your setup?
09-06-2018 07:18 AM
09-06-2018 01:09 PM
ok fair enough, i understand the issue. does the loopback on the juniper have a public ip address ( i am guessing yes).?
https://community.cisco.com/t5/firewalls/ipsec-vpn-termination-on-different-ip/td-p/3687714
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide