Showing results for 
Search instead for 
Did you mean: 

VPN Site to Site/IPSec from FW1010 to Mikrotik


I am wondering if i am able to have VPN Site to Site connection from Firepower 1010 to my home Mikrotik.

The configuration that i have in place A, where FW is placed looks like this:

ISP to cisco router ISR1101 (without security license (so i cannot have IPSec there)). ISR1101 to FTD1010 Port1

I have on FTD configured route to (this is routers Vlan1 IP address that is configured on Gi0/1/0). FTD 1 Interface is routed and has IP address.


My home Mikrotik, has DHCP IP address from ISP and also has internal IP address


So i am wondering, because i do not have license for router to make IPSec, is it possible to make IPSec to FTD instead? I made this Site to Site config on FTD for the moment, that is not finished:


Connection Name: VPN


VPN Access Interface IP: outside (  this is FTD Interface 1 IP address, interface connected to router

Network: MGMT(


Peer IP Address: here is IP of my Home Mikrotik

Peer Network: VPN (my Home ip address range that i receive from ISP)


IKE Version 2

IKE Policy: aes-sha256-sha256-14

IPSec Proposal: aes-256-sha-256

Authentication Type: Pre-shared Manual Key


IKE Version 1: Disabled



NAT Exempt: —


Diffie-Hellman Group: Null (not selected)


Router IP: Here is Cisco routers IP address that it receives from ISP.


Router config:


boot system bootflash:c1100-universalk9_ias.17.03.03.SPA.bin


no logging console

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

clock timezone GMT 2 0

clock summer-time GMT+2 recurring last Sun Mar 2:00 last Sun Oct 2:00

ip options drop

no ip domain lookup

ip domain lookup source-interface GigabitEthernet0/0/0

login block-for 120 attempts 4 within 120

login on-failure log

login on-success log

subscriber templating

multilink bundle-name authenticated

no device-tracking logging theft

license accept end user agreement

license boot level appxk9


 log config

  logging enable

  logging size 500

  notify syslog contenttype plaintext

memory free low-watermark processor 71858

diagnostic bootup level minimal

spanning-tree extend system-id


 mode none

vlan internal allocation policy ascending

interface GigabitEthernet0/0/0

 description ISP1

 ip address dhcp

 ip nat outside

 media-type rj45

 negotiation auto

 no cdp enable

interface GigabitEthernet0/1/0

 description TO FW Port 1

 switchport mode access

interface GigabitEthernet0/1/1


interface GigabitEthernet0/1/2


interface GigabitEthernet0/1/3


interface Vlan1

 description LAN

 ip address

 ip nat inside

no ip http server

no ip http secure-server

no ip forward-protocol nd

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

ip route name MGMT

ip route name LAN

ip route name Kameros

ip route name Guest

ip route GigabitEthernet0/0/0 dhcp

ip ssh rsa keypair-name MGMT

ip ssh version 2

logging trap notifications

logging origin-id hostname

logging facility syslog

ip access-list standard 1

 10 permit

 20 permit

 30 permit

 40 permit

 50 permit


Accepted Solutions



the sequences in your access list 101 are in the wrong order. Make sure the access list looks EXACTLY like this:


ip access-list extended 101
10 deny ip
20 deny ip
30 deny ip
40 permit ip any
50 permit ip any
60 permit ip any
70 permit ip any
80 permit ip any

View solution in original post

Georg Pauwen
VIP Expert



good question. I have never tried this...


With the Mikrotik side configured as well, what is the result when you set the Mikrotik's IP address as the remote IP address on the FTD ?



i will have time configure Mikrotik today, but access to FTD i will have only on Monday.

Also, from FTD side - there is no option to set this configuration:

Authentication Type: Pre-shared Manual Key

there is no option to enter manual key. So even if i will configure Mikrotik today - there will be no connection as there are no manual key that FTD would accept.



not sure if this is FTD version dependant, but in the screenshot below, you can manually enter the preshared key...


sorry for very late feedback.


I actually was able to make connection. I do not know why, but i was able to make it only then, when in Mikrotik IPSec Polices TAB, under this connection i changed Src Address to - Dst Address was MGMT( as in FW config. Why only this configuration works - i have no idea.


Meanwhile - i am having issues to reach/ping/traceroute, basically anything on remote side. But i suspect it is ASA here or routes in Mikrotik.


And yes - your picture was correct, thank you.



looks like you are making progress. Do you have the ASA config as well ?

It is the same config from my 1 post here. I do suspect that i need to make few allow rules there and some additional configuration on mikrotik side.



it is not really clear from your initial post what you have configured on the FTD. Can you post the output of 'show running-config' from the FTD ?



i have this config on FTD:


NGFW Version 6.6.4 


enable password ***** encrypted

service-module 0 keepalive-timeout 4

service-module 0 keepalive-counter 6


no mac-address auto


interface Vlan1


 nameif inside

 security-level 0

 ip address 


interface Ethernet1/1

 no switchport

 nameif outside

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 


interface Ethernet1/2

 no switchport

 no nameif

 no security-level

 no ip address


interface Ethernet1/2.5

 vlan 5

 nameif mgmt

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 


interface Ethernet1/2.10

 vlan 10

 nameif lan

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 


interface Ethernet1/2.11

 vlan 11

 nameif kameros

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 


interface Ethernet1/2.200

 vlan 200

 nameif guest

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 ip address 


interface Ethernet1/3




interface Ethernet1/4




interface Ethernet1/5




interface Ethernet1/6




interface Ethernet1/7


 power inline auto



interface Ethernet1/8


 power inline auto



interface Management1/1


 nameif diagnostic

 cts manual

  propagate sgt preserve-untag

  policy static sgt disabled trusted

 security-level 0

 no ip address


ftp mode passive

ngips conn-match vlan-id

dns domain-lookup outside

dns domain-lookup mgmt

dns domain-lookup lan

dns domain-lookup kameros

dns domain-lookup guest

dns domain-lookup diagnostic

dns server-group CiscoUmbrellaDNSServerGroup



dns server-group TeliaDNS



dns-group TeliaDNS

object network any-ipv4


object network any-ipv6

 subnet ::/0

object network MGMT


object network LAN


object network Guest


object network Kameros


object network router


object network VPN


object network VPNnetwork


object-group service |acSvcg-268435461

 service-object ip 

object-group service |acSvcg-268435462

 service-object ip 

object-group service |acSvcg-268435463

 service-object ip 

object-group service |acSvcg-268435466

 service-object ip 

object-group network |acSrcNwg-268435466

 network-object object Kameros

 network-object object LAN

 network-object object MGMT

object-group service |acSvcg-268435464

 service-object ip 

object-group network |acSrcNwg-268435464

 network-object object Guest

 network-object object Kameros

 network-object object LAN

 network-object object MGMT

object-group service |acSvcg-268435458

 service-object ip 

object-group network |acDestNwg-268435458

 network-object object Kameros

 network-object object MGMT

object-group service |acSvcg-268435467

 service-object ip 

object-group network |acSrcNwg-268435467

 network-object object Guest

 network-object object Kameros

 network-object object LAN

 network-object object MGMT

object-group network |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f

 network-object object MGMT

object-group service |acSvcg-268435459

 service-object ip 

object-group network |acSrcNwg-268435459

 network-object object Kameros

 network-object object MGMT

object-group network |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f

 network-object object any-ipv4

object-group service |acSvcg-268435457

 service-object ip 

access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: Guest - Kameros - Block

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435461 ifc guest object Guest ifc kameros object Kameros rule-id 268435461 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: Guest - LAN - Block

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435462 ifc guest object Guest ifc lan object LAN rule-id 268435462 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Guest - MGMT - Block

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435463 ifc guest object Guest ifc mgmt object MGMT rule-id 268435463 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435466: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435466: L5 RULE: LAN - Guest - Block

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc kameros object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both 

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc lan object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both 

access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc mgmt object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435464: L7 RULE: LAN - WAN - Block

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc guest object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc kameros object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc lan object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc mgmt object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both 

access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: LAN - MGMT - Kameros

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc lan object LAN ifc kameros object-group |acDestNwg-268435458 rule-id 268435458 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc lan object LAN ifc mgmt object-group |acDestNwg-268435458 rule-id 268435458 event-log flow-end 

access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Kameros - MGMT - LAN

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc kameros object-group |acSrcNwg-268435459 ifc lan object LAN rule-id 268435459 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc mgmt object-group |acSrcNwg-268435459 ifc lan object LAN rule-id 268435459 

access-list NGFW_ONBOX_ACL remark rule-id 268435467: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435467: L7 RULE: WAN - Allow

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc guest object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc kameros object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc lan object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc mgmt object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end 

access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: vpn

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc guest any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc kameros any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc lan any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc mgmt any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc outside any rule-id 268435457 event-log flow-end 

access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy

access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule

access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both 

access-list |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f extended permit ip object-group |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f object-group |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f 

pager lines 24

logging enable

logging timestamp

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu mgmt 1500

mtu lan 1500

mtu kameros 1500

mtu guest 1500

mtu diagnostic 1500

no failover

no monitor-interface outside

no monitor-interface mgmt

no monitor-interface lan

no monitor-interface kameros

no monitor-interface guest

no monitor-interface service-module 

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

access-group NGFW_ONBOX_ACL global

route outside 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http inside

http ::/0 inside

http inside

http inside

ip-client diagnostic

ip-client diagnostic ipv6

ip-client inside

ip-client inside ipv6

ip-client mgmt

ip-client mgmt ipv6

ip-client lan

ip-client lan ipv6

ip-client kameros

ip-client kameros ipv6

ip-client guest

ip-client guest ipv6

ip-client outside

ip-client outside ipv6

no snmp-server location

no snmp-server contact

sysopt connection tcpmss 0

no sysopt connection permit-vpn

crypto ipsec ikev2 ipsec-proposal Mikrotik-IPSEC

 protocol esp encryption aes-256 aes-192 aes

 protocol esp integrity sha-256

crypto ipsec security-association pmtu-aging infinite

crypto map s2sCryptoMap 1 match address |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f

crypto map s2sCryptoMap 1 set peer 

crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal Mikrotik-IPSEC

crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800

crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000

crypto map s2sCryptoMap interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

 encryption aes-256 aes-192 aes

 integrity sha256

 group 14

 prf sha256

 lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 policy 150

 authentication rsa-sig

 encryption des

 hash sha

 group 14

 lifetime 86400

crypto ikev1 policy 160

 authentication pre-share

 encryption des

 hash sha

 group 14

 lifetime 86400

telnet timeout 5

console timeout 0

dhcpd dns


dhcpd address mgmt

dhcpd enable mgmt


dhcpd address lan

dhcpd enable lan


dhcpd address kameros

dhcpd enable kameros


dhcpd address guest

dhcpd enable guest


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol ssl-client 


  anyconnect ssl dtls none

group-policy |s2sGP| internal

group-policy |s2sGP| attributes

 vpn-tunnel-protocol ikev2 

dynamic-access-policy-record DfltAccessPolicy

tunnel-group type ipsec-l2l

tunnel-group general-attributes

 default-group-policy |s2sGP|

tunnel-group ipsec-attributes

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****


class-map inspection_default

 match default-inspection-traffic

class-map class_snmp

 match port udp eq 4161



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

  inspect icmp error 

  inspect snmp 

  inspect xdmcp 

 class class_snmp

  inspect snmp 


service-policy global_policy global

prompt hostname context 


 profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

app-agent heartbeat interval 1000 retry-count 3

snort preserve-connection


: end



/ip ipsec active-peers> print
Flags: R - responder, N - natt-peer
0 R established 5d24m31s 1


/ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R name="Kalv ASA" address= local-address= passive=yes profile=Kalv ASA exchange-mode=ike2 send-initial-contact=no


/ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * ::/0 ::/0 all
2 A Kalv ASA yes all encrypt require 1



this is your interesting traffic:


access-list |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f extended permit ip object-group |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f object-group |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f


I can at the very least not find 'network-object object any-ipv4'. You might want to change the access lists and VPN object groups to something more descriptive, as it is now very difficult to see what is what.


Either way, what are the source and destination IP subnets on both sides ?

From Mikrotik -

To FTD - i set MGMT network, i mean i hoped that i would be able to reach devices in that network (



I don't see anything on the FTD matching the Mikrotik network, ? Which object is supposed to represent this subnet ?

From FTD, i had this added. But after that, i had to change Mikrotik network and i did not made changes in FTD. So i will change this object to match


object network VPNnetwork






i think i will drop this one. Because i cannot make normal connection to FTD and i actually do not know to i where actually been connecting (FTD or Router, because i tried to make IPSec to router before that)..

So thank you for your help. The general idea i think was very opportunistic So i will try to make IPSec between Mikrotik and Cisco router. 



FTD/ASA or IOS router should not really matter, as the settings are very similar.