cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
5
Helpful
19
Replies
san4ez39
Beginner

VPN Site to Site/IPSec from FW1010 to Mikrotik

Hello,

I am wondering if i am able to have VPN Site to Site connection from Firepower 1010 to my home Mikrotik.

The configuration that i have in place A, where FW is placed looks like this:

ISP to cisco router ISR1101 (without security license (so i cannot have IPSec there)). ISR1101 to FTD1010 Port1

I have on FTD configured route 0.0.0.0/0 to 192.168.1.1 (this is routers Vlan1 IP address that is configured on Gi0/1/0). FTD 1 Interface is routed and has 192.168.1.2 IP address.

 

My home Mikrotik, has DHCP IP address from ISP and also has internal IP address 192.168.1.1

 

So i am wondering, because i do not have license for router to make IPSec, is it possible to make IPSec to FTD instead? I made this Site to Site config on FTD for the moment, that is not finished:

 

Connection Name: VPN

 

VPN Access Interface IP: outside (192.168.1.2)  this is FTD Interface 1 IP address, interface connected to router

Network: MGMT(192.168.5.0/24)

 

Peer IP Address: here is IP of my Home Mikrotik

Peer Network: VPN (my Home ip address range that i receive from ISP)

 

IKE Version 2

IKE Policy: aes-sha256-sha256-14

IPSec Proposal: aes-256-sha-256

Authentication Type: Pre-shared Manual Key

 

IKE Version 1: Disabled

 

OTHER

NAT Exempt: —

 

Diffie-Hellman Group: Null (not selected)

 

Router IP: Here is Cisco routers IP address that it receives from ISP.

 

Router config:

boot-start-marker

boot system bootflash:c1100-universalk9_ias.17.03.03.SPA.bin

boot-end-marker

no logging console

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

clock timezone GMT 2 0

clock summer-time GMT+2 recurring last Sun Mar 2:00 last Sun Oct 2:00

ip options drop

no ip domain lookup

ip domain lookup source-interface GigabitEthernet0/0/0

login block-for 120 attempts 4 within 120

login on-failure log

login on-success log

subscriber templating

multilink bundle-name authenticated

no device-tracking logging theft

license accept end user agreement

license boot level appxk9

archive

 log config

  logging enable

  logging size 500

  notify syslog contenttype plaintext

memory free low-watermark processor 71858

diagnostic bootup level minimal

spanning-tree extend system-id

redundancy

 mode none

vlan internal allocation policy ascending

interface GigabitEthernet0/0/0

 description ISP1

 ip address dhcp

 ip nat outside

 media-type rj45

 negotiation auto

 no cdp enable

interface GigabitEthernet0/1/0

 description TO FW Port 1

 switchport mode access

interface GigabitEthernet0/1/1

 shutdown

interface GigabitEthernet0/1/2

 shutdown

interface GigabitEthernet0/1/3

 shutdown

interface Vlan1

 description LAN

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

no ip http server

no ip http secure-server

no ip forward-protocol nd

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

ip route 192.168.5.0 255.255.255.0 192.168.1.2 name MGMT

ip route 192.168.10.0 255.255.255.0 192.168.1.2 name LAN

ip route 192.168.11.0 255.255.255.0 192.168.1.2 name Kameros

ip route 192.168.200.0 255.255.255.0 192.168.1.2 name Guest

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

ip ssh rsa keypair-name MGMT

ip ssh version 2

logging trap notifications

logging origin-id hostname

logging facility syslog

ip access-list standard 1

 10 permit 192.168.1.0 0.0.0.255

 20 permit 192.168.10.0 0.0.0.255

 30 permit 192.168.5.0 0.0.0.255

 40 permit 192.168.11.0 0.0.0.255

 50 permit 192.168.200.0 0.0.0.255

1 ACCEPTED SOLUTION

Accepted Solutions

Hello,

 

the sequences in your access list 101 are in the wrong order. Make sure the access list looks EXACTLY like this:

 

ip access-list extended 101
10 deny ip 192.168.5.0 0.0.0.255 172.22.10.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 172.22.10.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 172.22.10.0 0.0.0.255
40 permit ip 192.168.1.0 0.0.0.255 any
50 permit ip 192.168.10.0 0.0.0.255 any
60 permit ip 192.168.5.0 0.0.0.255 any
70 permit ip 192.168.11.0 0.0.0.255 any
80 permit ip 192.168.200.0 0.0.0.255 any

View solution in original post

19 REPLIES 19
Georg Pauwen
VIP Expert

Hello,

 

good question. I have never tried this...

 

With the Mikrotik side configured as well, what is the result when you set the Mikrotik's IP address as the remote IP address on the FTD ?

Hi,

 

i will have time configure Mikrotik today, but access to FTD i will have only on Monday.

Also, from FTD side - there is no option to set this configuration:

Authentication Type: Pre-shared Manual Key

there is no option to enter manual key. So even if i will configure Mikrotik today - there will be no connection as there are no manual key that FTD would accept.

Hello,

 

not sure if this is FTD version dependant, but in the screenshot below, you can manually enter the preshared key...

Hi,

sorry for very late feedback.

 

I actually was able to make connection. I do not know why, but i was able to make it only then, when in Mikrotik IPSec Polices TAB, under this connection i changed Src Address to 0.0.0.0/0 - Dst Address was MGMT(192.168.5.0/24) as in FW config. Why only this configuration works - i have no idea.

 

Meanwhile - i am having issues to reach/ping/traceroute, basically anything on remote side. But i suspect it is ASA here or routes in Mikrotik.

 

And yes - your picture was correct, thank you.

Hello,

 

looks like you are making progress. Do you have the ASA config as well ?

It is the same config from my 1 post here. I do suspect that i need to make few allow rules there and some additional configuration on mikrotik side.

Hello,

 

it is not really clear from your initial post what you have configured on the FTD. Can you post the output of 'show running-config' from the FTD ?

Hi,

 

i have this config on FTD:

 

NGFW Version 6.6.4 

!

enable password ***** encrypted

service-module 0 keepalive-timeout 4

service-module 0 keepalive-counter 6

names

no mac-address auto

!

interface Vlan1

 shutdown

 nameif inside

 security-level 0

 ip address 192.168.2.1 255.255.255.0 

!

interface Ethernet1/1

 no switchport

 nameif outside

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 192.168.1.2 255.255.255.0 

!

interface Ethernet1/2

 no switchport

 no nameif

 no security-level

 no ip address

!

interface Ethernet1/2.5

 vlan 5

 nameif mgmt

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 192.168.5.254 255.255.255.0 

!

interface Ethernet1/2.10

 vlan 10

 nameif lan

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 192.168.10.254 255.255.255.0 

!

interface Ethernet1/2.11

 vlan 11

 nameif kameros

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 192.168.11.254 255.255.255.0 

!

interface Ethernet1/2.200

 vlan 200

 nameif guest

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 192.168.200.254 255.255.255.0 

!

interface Ethernet1/3

 switchport

 shutdown

!

interface Ethernet1/4

 switchport

 shutdown

!

interface Ethernet1/5

 switchport

 shutdown

!

interface Ethernet1/6

 switchport

 shutdown

!

interface Ethernet1/7

 switchport

 power inline auto

 shutdown

!

interface Ethernet1/8

 switchport

 power inline auto

 shutdown

!

interface Management1/1

 management-only

 nameif diagnostic

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 no ip address

!

ftp mode passive

ngips conn-match vlan-id

dns domain-lookup outside

dns domain-lookup mgmt

dns domain-lookup lan

dns domain-lookup kameros

dns domain-lookup guest

dns domain-lookup diagnostic

dns server-group CiscoUmbrellaDNSServerGroup

 name-server 208.67.222.222 

 name-server 208.67.220.220 

dns server-group TeliaDNS

 name-server 212.59.8.18 

 name-server 212.59.8.19 

dns-group TeliaDNS

object network any-ipv4

 subnet 0.0.0.0 0.0.0.0

object network any-ipv6

 subnet ::/0

object network MGMT

 subnet 192.168.5.0 255.255.255.0

object network LAN

 subnet 192.168.10.0 255.255.255.0

object network Guest

 subnet 192.168.200.0 255.255.255.0

object network Kameros

 subnet 192.168.11.0 255.255.255.0

object network router

 host 192.168.1.3

object network VPN

 subnet 78.62.135.0 255.255.255.0

object network VPNnetwork

 subnet 192.168.1.0 255.255.255.0

object-group service |acSvcg-268435461

 service-object ip 

object-group service |acSvcg-268435462

 service-object ip 

object-group service |acSvcg-268435463

 service-object ip 

object-group service |acSvcg-268435466

 service-object ip 

object-group network |acSrcNwg-268435466

 network-object object Kameros

 network-object object LAN

 network-object object MGMT

object-group service |acSvcg-268435464

 service-object ip 

object-group network |acSrcNwg-268435464

 network-object object Guest

 network-object object Kameros

 network-object object LAN

 network-object object MGMT

object-group service |acSvcg-268435458

 service-object ip 

object-group network |acDestNwg-268435458

 network-object object Kameros

 network-object object MGMT

object-group service |acSvcg-268435467

 service-object ip 

object-group network |acSrcNwg-268435467

 network-object object Guest

 network-object object Kameros

 network-object object LAN

 network-object object MGMT

object-group network |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f

 network-object object MGMT

object-group service |acSvcg-268435459

 service-object ip 

object-group network |acSrcNwg-268435459

 network-object object Kameros

 network-object object MGMT

object-group network |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f

 network-object object any-ipv4

object-group service |acSvcg-268435457

 service-object ip 

access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: Guest - Kameros - Block

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435461 ifc guest object Guest ifc kameros object Kameros rule-id 268435461 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: Guest - LAN - Block

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435462 ifc guest object Guest ifc lan object LAN rule-id 268435462 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Guest - MGMT - Block

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435463 ifc guest object Guest ifc mgmt object MGMT rule-id 268435463 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435466: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435466: L5 RULE: LAN - Guest - Block

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc kameros object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both 

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc lan object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both 

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc mgmt object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435464: L7 RULE: LAN - WAN - Block

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc guest object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc kameros object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc lan object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc mgmt object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: LAN - MGMT - Kameros

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc lan object LAN ifc kameros object-group |acDestNwg-268435458 rule-id 268435458 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc lan object LAN ifc mgmt object-group |acDestNwg-268435458 rule-id 268435458 event-log flow-end 

access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Kameros - MGMT - LAN

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc kameros object-group |acSrcNwg-268435459 ifc lan object LAN rule-id 268435459 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc mgmt object-group |acSrcNwg-268435459 ifc lan object LAN rule-id 268435459 

access-list NGFW_ONBOX_ACL remark rule-id 268435467: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435467: L7 RULE: WAN - Allow

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc guest object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc kameros object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc lan object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc mgmt object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end 

access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: vpn

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc guest any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc kameros any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc lan any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc mgmt any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc outside any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule

access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both 

access-list |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f extended permit ip object-group |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f object-group |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f 

pager lines 24

logging enable

logging timestamp

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu mgmt 1500

mtu lan 1500

mtu kameros 1500

mtu guest 1500

mtu diagnostic 1500

no failover

no monitor-interface outside

no monitor-interface mgmt

no monitor-interface lan

no monitor-interface kameros

no monitor-interface guest

no monitor-interface service-module 

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

access-group NGFW_ONBOX_ACL global

route outside 0.0.0.0 0.0.0.0 192.168.1.3 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 0.0.0.0 0.0.0.0 inside

http ::/0 inside

http 192.168.10.0 255.255.255.0 inside

http 192.168.5.0 255.255.255.0 inside

ip-client diagnostic

ip-client diagnostic ipv6

ip-client inside

ip-client inside ipv6

ip-client mgmt

ip-client mgmt ipv6

ip-client lan

ip-client lan ipv6

ip-client kameros

ip-client kameros ipv6

ip-client guest

ip-client guest ipv6

ip-client outside

ip-client outside ipv6

no snmp-server location

no snmp-server contact

sysopt connection tcpmss 0

no sysopt connection permit-vpn

crypto ipsec ikev2 ipsec-proposal Mikrotik-IPSEC

 protocol esp encryption aes-256 aes-192 aes

 protocol esp integrity sha-256

crypto ipsec security-association pmtu-aging infinite

crypto map s2sCryptoMap 1 match address |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f

crypto map s2sCryptoMap 1 set peer 78.62.135.52 

crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal Mikrotik-IPSEC

crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800

crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000

crypto map s2sCryptoMap interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

 encryption aes-256 aes-192 aes

 integrity sha256

 group 14

 prf sha256

 lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 policy 150

 authentication rsa-sig

 encryption des

 hash sha

 group 14

 lifetime 86400

crypto ikev1 policy 160

 authentication pre-share

 encryption des

 hash sha

 group 14

 lifetime 86400

telnet timeout 5

console timeout 0

dhcpd dns 212.59.8.18 212.59.8.19

!

dhcpd address 192.168.5.50-192.168.5.90 mgmt

dhcpd enable mgmt

!

dhcpd address 192.168.10.1-192.168.10.250 lan

dhcpd enable lan

!

dhcpd address 192.168.11.1-192.168.11.250 kameros

dhcpd enable kameros

!

dhcpd address 192.168.200.1-192.168.200.250 guest

dhcpd enable guest

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol ssl-client 

 webvpn

  anyconnect ssl dtls none

group-policy |s2sGP|78.62.135.52 internal

group-policy |s2sGP|78.62.135.52 attributes

 vpn-tunnel-protocol ikev2 

dynamic-access-policy-record DfltAccessPolicy

tunnel-group 78.62.135.52 type ipsec-l2l

tunnel-group 78.62.135.52 general-attributes

 default-group-policy |s2sGP|78.62.135.52

tunnel-group 78.62.135.52 ipsec-attributes

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

class-map class_snmp

 match port udp eq 4161

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

  inspect icmp error 

  inspect snmp 

  inspect xdmcp 

 class class_snmp

  inspect snmp 

!

service-policy global_policy global

prompt hostname context 

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

app-agent heartbeat interval 1000 retry-count 3

snort preserve-connection

Cryptochecksum:eb1f599597de7afd85462325c344acbb

: end

 

Mikrotik:

/ip ipsec active-peers> print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS
0 R 192.168.1.2 established 5d24m31s 1 82.135.241.34

 

/ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R name="Kalv ASA" address=82.135.241.34/32 local-address=78.62.135.52 passive=yes profile=Kalv ASA exchange-mode=ike2 send-initial-contact=no

 

/ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
2 A Kalv ASA yes 0.0.0.0/0 192.168.5.0/24 all encrypt require 1

Hello,

 

this is your interesting traffic:

 

access-list |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f extended permit ip object-group |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f object-group |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f

 

I can at the very least not find 'network-object object any-ipv4'. You might want to change the access lists and VPN object groups to something more descriptive, as it is now very difficult to see what is what.

 

Either way, what are the source and destination IP subnets on both sides ?

From Mikrotik - 172.22.10.0/24

To FTD - i set MGMT network, i mean i hoped that i would be able to reach devices in that network (192.168.5.0/24)

Hello,

 

I don't see anything on the FTD matching the Mikrotik network, 172.22.10.0/24 ? Which object is supposed to represent this subnet ?

From FTD, i had this added. But after that, i had to change Mikrotik network and i did not made changes in FTD. So i will change this object to match 172.22.10.0/24

 

object network VPNnetwork

 subnet 192.168.1.0 255.255.255.0

 

 

Hi,

 

i think i will drop this one. Because i cannot make normal connection to FTD and i actually do not know to i where actually been connecting (FTD or Router, because i tried to make IPSec to router before that)..

So thank you for your help. The general idea i think was very opportunistic So i will try to make IPSec between Mikrotik and Cisco router. 

Hello,

 

FTD/ASA or IOS router should not really matter, as the settings are very similar.