Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1630
Views
0
Helpful
3
Replies

Issue migrating Juniper s2s VPN to FTD

paultribe
Level 1
Level 1

‎09-05-2018 03:55 AM - edited ‎02-21-2020 08:11 AM

I have an issue whereby I am migrating Juniper SSG firewalls that have multiple VPNs to Cisco FTD running FTD 6.2.3 software (Not ASA).

 

The problem is the Juniper SSG's terminate all the s2s VPN's on a loopback interface but the ASA cannot do this. As a workaround I thought to just add another physical interface on the FTD and use a /30 IP address which includes the old loopback; then just statically route towards the remote VPN's peer & proxy ID's via this extra interface. The problem is the ISP router has no free interfaces. I also suggested using sub interfaces between the FTD and the ISP router but that was also a no go. Oh and the other thing there are too many S2S VPN's for all the remote sides to change the peer address.

 

Does anyone know of any other way I can achieve this, In a lab I have tried creating a NAT entry that NAT's the loopback address to the outside interface address (That VPNs terminate on), as follows:

nat (outside,outside) source static REAL_VPN_INTF NATTED_VPN_INTF

I then put a static towards the NAT/loopback address on the "ISP" router but no joy, only that the NATTED address appeared in the ARP cache on the router; having not messed about with NAT that much to "fudge" things I have probably done this wrong.

 

Any help would be useful.

0 Helpful
3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

‎09-05-2018 03:59 AM

Typically if you have an ASA with a public IP address on its outside IP address. the remote end of the VPN uses that public IP address as the VPN Peer address. have you tried this, or is there any reason this is not possible in your setup?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

paultribe
Level 1
Level 1
In response to Dennis Mink

‎09-06-2018 07:18 AM

Hi there

The issue is I am doing a migrstion from juniper to cisco and the junipers were using a loopback for s2s VPNs to terminate on. This is not the same as the real address being migrated to the FTD outside interface. The customer has so many S2S VPNs they do not want to get all their clients to change the peer address they point to and I cannot use the loopback as the real address I have to use the real address migrated from the junipers.

Regards
Paul
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to paultribe

‎09-06-2018 01:09 PM

ok fair enough, i understand the issue. does the loopback on the juniper have a public ip address ( i am guessing yes).? 

 

https://community.cisco.com/t5/firewalls/ipsec-vpn-termination-on-different-ip/td-p/3687714

 

 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card