06-25-2024 07:28 AM - edited 06-25-2024 08:57 AM
Few question, have a simple setup for FTD managed via FMC.
FMC/Internal network >>>>> FTD/Outside int >>>>ISP/Internet>>>>>>><<<<<<<<FW/Peer Tunnel Device<<<<Internal Network
I see in this doc https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html only BGP or static is supported for routing using VTI?
If we have available public IPs to use, would it be better to use a public IP for the VTI or private, I was just going to use private from an internal block that is already natted and/or create a nat statement for it?
Not as familiar with FTD. I would just create statement to reach the Peer Device and/internal network to point to the IPSEC tunnel correct?
Solved! Go to Solution.
06-25-2024 07:34 AM
@CiscoPurpleBelt you can use a private IP address or "borrow" the IP address from another interface, I would personally use a private IP address for the tunnel IP address.
If using 7.3 or newer you can use a dedicated loopback interface. https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface
06-25-2024 07:42 AM
There is no rule you can use public or private IP but
1-Use private IP from subnet use in NAT
I dont think ftd accpet that.
2-use public IP can conflict with router connect to internet' the public IP need to order from ISP otherwise it lead to routing issue
Vti need unique private or public IP
MHM
06-25-2024 07:52 AM
@CiscoPurpleBelt, adding to @Rob Ingram post: EIGRP and OSPF over VTI are supported as of 7.3.
06-25-2024 09:12 AM
@CiscoPurpleBelt yes, you can use any unused private IP address. Assigned to the tunnel interface, or use the loopback (if 7.3 or higher) and borrow the IP address of the loopback.
06-25-2024 09:23 AM
@CiscoPurpleBelt the tunnel source would be the outside interface public IP. In the "IP address" section is where you define the tunnel IP, use either "Configure IP" to manually define the tunnel IP or select "Borrow IP (IP unnumbered)" to use the IP address of the loopback.
Refer to the "Adding a Static Virtual Tunnel Interface (on all the spokes)" section - https://secure.cisco.com/secure-firewall/v7.3/docs/dynamic-virtual-template-interface-dvti
06-25-2024 07:34 AM
@CiscoPurpleBelt you can use a private IP address or "borrow" the IP address from another interface, I would personally use a private IP address for the tunnel IP address.
If using 7.3 or newer you can use a dedicated loopback interface. https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface
06-25-2024 07:52 AM
@CiscoPurpleBelt, adding to @Rob Ingram post: EIGRP and OSPF over VTI are supported as of 7.3.
06-25-2024 09:12 AM
Ok yea only at 7. right now.
When just creating a VTI in general, I would choose the Outside interface Security Zone correct? In the settings for IPsec Tunnel Mode in the Add Virtual Tunnel Interface, that is where I enter the private IP I would like to use?
06-25-2024 09:23 AM
@CiscoPurpleBelt the tunnel source would be the outside interface public IP. In the "IP address" section is where you define the tunnel IP, use either "Configure IP" to manually define the tunnel IP or select "Borrow IP (IP unnumbered)" to use the IP address of the loopback.
Refer to the "Adding a Static Virtual Tunnel Interface (on all the spokes)" section - https://secure.cisco.com/secure-firewall/v7.3/docs/dynamic-virtual-template-interface-dvti
06-25-2024 07:42 AM
There is no rule you can use public or private IP but
1-Use private IP from subnet use in NAT
I dont think ftd accpet that.
2-use public IP can conflict with router connect to internet' the public IP need to order from ISP otherwise it lead to routing issue
Vti need unique private or public IP
MHM
06-25-2024 09:02 AM
Hi yes the public IP would be from a public block already assigned by ISP.
Are you suggesting just creating a private IP from a subnet that is not currently used if I were to use a private IP for VTI?
06-25-2024 09:12 AM
@CiscoPurpleBelt yes, you can use any unused private IP address. Assigned to the tunnel interface, or use the loopback (if 7.3 or higher) and borrow the IP address of the loopback.
06-25-2024 09:48 AM
Ok yea just still on 7.0.6 so will just create a VTI, its source will be Outside int, and will assign the tunnel mode IP using an unused IP from an existing internal private subnet which already has NAT statements created.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide