Solved: cisco firepower 1120 site to site VPN

gogi99 · ‎08-06-2024

my comany has a cisco firepower 1120. On this device is configured the RA VPN on outside interface with the cisco anyconnect. I want that i configure the site to site VPN on outside interface.whether both services can be configured on the outside interface and run simultaneously and both run at the same time?

Rob Ingram · ‎08-07-2024

@gogi99 on FTD Site-to-Site VPN is included in the base/essentials license (so nothing to purchase), you need the export controlled features (strong encryption) - if not already enabled.

View solution in original post

MHM Cisco World · ‎08-07-2024

Anyconnect need license

Site to site not need any license

MHM

View solution in original post

Rob Ingram · ‎08-07-2024

@gogi99 so why are you asking whether it is necessary to create rules related to the site to site VPN and DMZ zone?

If you don't need to access the DMZ directly over the VPN, then you don't need to configure anything.

View solution in original post

Rob Ingram · ‎08-06-2024

@gogi99 yes you can run Remote Access and Site to Site VPN on the Firepower 1120 at the sametime no problem, regardless whether you are using the FTD or ASA software image on the hardware.

Bear in mind you will need the appropriate licensing in order to run the RAVPN.

gogi99 · ‎08-07-2024

i need a licence for the site to site VPN. i have licence for RAVPN?

Rob Ingram · ‎08-07-2024

@gogi99 you will need to purchase Secure Client/AnyConnect VPN licenses. You will also need to enable the export controlled features (strong encryption). https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/licensing_the_firepower_system.pdf

gogi99 · ‎08-07-2024

i have licences purchased and activated for AnyConnect VPN licenses. my question is for licence of site to site VPN?

Rob Ingram · ‎08-07-2024

@gogi99 on FTD Site-to-Site VPN is included in the base/essentials license (so nothing to purchase), you need the export controlled features (strong encryption) - if not already enabled.

gogi99 · ‎08-07-2024

Sorry, one more question. my company also has the DMZ zone (mail server, web server...) on the firepower 1120. can we use the RA VPN, the site to site VPN and DMZ zone in the same time on the firepower 1120?

Rob Ingram · ‎08-07-2024

@gogi99 yes, you will just need some NAT rules for the mail/webservers in the DMZ and associated access control rules to permit the traffic.

gogi99 · ‎08-07-2024

NAT rules and access-rules list are configured currently on my firepower 1120

Rob Ingram · ‎08-07-2024

@gogi99 Yes you can RA VPN, the site to site VPN and DMZ zone in the same time on the firepower 1120

gogi99 · ‎08-07-2024

some additional rules?

Rob Ingram · ‎08-07-2024

@gogi99 you will need rules to permit the traffic to the DMZ server if you do not already have the rules in place.

gogi99 · ‎08-07-2024

i have created rules to permit the traffic to the DMZ from internet and DMZ to local LAN. whether it is necessary to create rules related to the site to site VPN and DMZ zone?

Rob Ingram · ‎08-07-2024

@gogi99 if you need access to the DMZ from over the Site-to-Site VPN. If so then, then amend the VPN configuration to include the DMZ networks in the VPN, create NAT exemption rules and configure access rules from S2SVPN networks to the DMZ servers.

gogi99 · ‎08-07-2024

no, the DMZ zone just have to go to internet not over the site-to-site VPN. I use the site to site VPN for local LAN