04-19-2024 02:33 PM
If I am configuring an IKEv1 IPSEC site-to-site VPN with an FTD device running 7.4.1 managed by the FMC and it is policy based, not route based, does the system ACL applied to the device also control the traffic across the tunnel? If so, then what Zone does the traffic show up as? Currently the device has an Inside and Outside zone defined.
04-19-2024 02:48 PM
Control plane ACL effect only VPN outer header' i.e. it allow or not VPN between FTD and peer
ACP not effect traffic pass via vpn if you enable sysopt permit-vpn' But it effect if disable it.
There is option to tune filter the traffic pass via vpn va traffic filter
I think it appear in
Vpn topolgy > advanced > ipsec > filter
(Fmc)
MHM
04-19-2024 03:07 PM
If the ACP is seeing the tunnel traffic then what is the source zone?
04-19-2024 03:12 PM
if you want to config ACP then you need ACP for two direction
ACP Inside->Outside
ACP Outside->Inside
MHM
04-21-2024 02:26 PM
for inbound traffic from the remote VPN site you would have a source zone of the outside interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide