Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3936
Views
10
Helpful
8
Replies

VTI on FTD

giovanni.augusto
Level 1
Level 1

‎09-12-2019 03:19 PM - edited ‎02-21-2020 09:29 AM

Hi Everyone,

 

I would like to know if it is possible to create a VTI on FTD to peer with cloud infrastructure or with other FTD with a S2S VPN and BGP running on top of it.

 

I know this works currently on ASA code since a long time so I would be very surprised if this was not done already in FTD

 

Thanks!

2 people had this problem
Labels:
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-12-2019 10:49 PM

Sorry but it's not currently possible (as of Firepower 6.4.0.4).

giovanni.augusto
Level 1
Level 1
In response to Marvin Rhoads

‎09-13-2019 03:05 AM

Thank you Marvin,

 

Do you know what is the solution to achieve VPN connectivity with public cloud and run BGP for dynamic routing updates considering on premises FTD as the VPN termination?

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giovanni.augusto

‎09-13-2019 05:15 AM

You can either peer directly with the FTDv in the cloud using its dataplane interface or else use a CSRv instance.

Both options are shown here:

https://www.youtube.com/watch?v=PsicQ5RyrK8&t=288s

Cisco NGFW in AWS - Part 1: Deploying FMCv and FTDv in AWS (2016)
Cisco NGFW in AWS - Part 1: Deploying FMCv and FTDv in AWS (2016)
youtube.com/watch?v=PsicQ5RyrK8&t=288s
Learn how to install Cisco NGFW protections for your off-premise application workloads. Watch and in-depth video on deploying Firepower Management Center and Firepower Threat Defense NGFW in AWS public cloud environment.
0 Helpful

giovanni.augusto
Level 1
Level 1
In response to Marvin Rhoads

‎09-13-2019 05:48 AM

Thank you!

 

Can I run BGP on top of it?

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giovanni.augusto

‎09-13-2019 04:19 PM

I'm not sure about your overall configuration. FTD (virtual or physical) supports BGP.

0 Helpful

giovanni.augusto
Level 1
Level 1
In response to Marvin Rhoads

‎09-13-2019 04:44 PM

Thanks Marvin,

 

I currently have ASAs with VTI tunnels to Google GCP exchanging routes in BGP to Google cloud router and at some point I would like to migrate to FTD.

 

With ASA and VTIs is pretty straightforward but still I would like to know if this is a possible scenario and what would it be my BGP local address on FTD since in Google deployment is usually the VTI ip address, and that cannot be configured on FTD

 

Can I ask for a suggestion on how to proceed with FTD in this case? I have been looking at FTD documentation but nothing about this.

 

Thanks

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giovanni.augusto

‎09-14-2019 01:47 AM

Do you have a Cisco account manager? It may be easiest if they can arrange a consultation with a Cisco Firepower SE or TME.

0 Helpful

robert.humphreys1
Level 1
Level 1

‎01-24-2021 02:04 PM

Not yet tried, but Virtual Tunnel Interfaces (VTI) is now available on FTD 6.7 Cisco Firepower Release Notes, Version 6.7.0 - Features and Functionality [Cisco Firepower Management Center] - Cisco

 

We have been waiting for this feature to use Umbrella and some other cloud hosted services that require VTI. Though Umbrella has options for policy based we would prefer VTI with BGP.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card