Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
5
Helpful
8
Replies

Create IPSEC Point2Point using VTI on FTD (FTD code)?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎06-25-2024 07:28 AM - edited ‎06-25-2024 08:57 AM

Few question, have a simple setup for FTD managed via FMC. 

FMC/Internal network >>>>> FTD/Outside int >>>>ISP/Internet>>>>>>><<<<<<<<FW/Peer Tunnel Device<<<<Internal Network

I see in this doc https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html only BGP or static is supported for routing using VTI?

If we have available public IPs to use, would it be better to use a public IP for the VTI or private, I was just going to use private from an internal block that is already natted and/or create a nat statement for it?
Not as familiar with FTD. I would just create statement to reach the Peer Device and/internal network to point to the IPSEC tunnel correct?

 

 

 

Labels:
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-25-2024 07:34 AM

@CiscoPurpleBelt you can use a private IP address or "borrow" the IP address from another interface, I would personally use a private IP address for the tunnel IP address.

If using 7.3 or newer you can use a dedicated loopback interface. https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface

 

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP

‎06-25-2024 07:42 AM

There is no rule you can use public or private IP but 

1-Use private IP from subnet use in NAT

I dont think ftd accpet that.

2-use public IP can conflict with router connect to internet' the public IP need to order from ISP otherwise it lead to routing issue

Vti need unique private or public IP

MHM

View solution in original post

Go to solution
tvotna
Spotlight
Spotlight
In response to Rob Ingram

‎06-25-2024 07:52 AM

@CiscoPurpleBelt, adding to @Rob Ingram post: EIGRP and OSPF over VTI are supported as of 7.3.

 

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎06-25-2024 09:12 AM

@CiscoPurpleBelt yes, you can use any unused private IP address. Assigned to the tunnel interface, or use the loopback (if 7.3 or higher) and borrow the IP address of the loopback.

RobIngram_0-1719331966407.png

 

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎06-25-2024 09:23 AM

@CiscoPurpleBelt the tunnel source would be the outside interface public IP. In the "IP address" section is where you define the tunnel IP, use either "Configure IP" to manually define the tunnel IP or select "Borrow IP (IP unnumbered)" to use the IP address of the loopback.

RobIngram_0-1719332418657.png

Refer to the "Adding a Static Virtual Tunnel Interface (on all the spokes)" section - https://secure.cisco.com/secure-firewall/v7.3/docs/dynamic-virtual-template-interface-dvti

 

 

 

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎06-25-2024 07:34 AM

@CiscoPurpleBelt you can use a private IP address or "borrow" the IP address from another interface, I would personally use a private IP address for the tunnel IP address.

If using 7.3 or newer you can use a dedicated loopback interface. https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface

 

Go to solution
tvotna
Spotlight
Spotlight
In response to Rob Ingram

‎06-25-2024 07:52 AM

@CiscoPurpleBelt, adding to @Rob Ingram post: EIGRP and OSPF over VTI are supported as of 7.3.

 

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎06-25-2024 09:12 AM

Ok yea only at 7. right now.  
When just creating a VTI in general, I would choose the Outside interface Security Zone correct? In the settings for IPsec Tunnel Mode in the Add Virtual Tunnel Interface, that is where I enter the private IP I would like to use?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎06-25-2024 09:23 AM

@CiscoPurpleBelt the tunnel source would be the outside interface public IP. In the "IP address" section is where you define the tunnel IP, use either "Configure IP" to manually define the tunnel IP or select "Borrow IP (IP unnumbered)" to use the IP address of the loopback.

RobIngram_0-1719332418657.png

Refer to the "Adding a Static Virtual Tunnel Interface (on all the spokes)" section - https://secure.cisco.com/secure-firewall/v7.3/docs/dynamic-virtual-template-interface-dvti

 

 

 

Go to solution
MHM Cisco World
VIP
VIP

‎06-25-2024 07:42 AM

There is no rule you can use public or private IP but 

1-Use private IP from subnet use in NAT

I dont think ftd accpet that.

2-use public IP can conflict with router connect to internet' the public IP need to order from ISP otherwise it lead to routing issue

Vti need unique private or public IP

MHM

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to MHM Cisco World

‎06-25-2024 09:02 AM

Hi yes the public IP would be from a public block already assigned by ISP.
Are you suggesting just creating a private IP from a subnet that is not currently used if I were to use a private IP for VTI?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎06-25-2024 09:12 AM

@CiscoPurpleBelt yes, you can use any unused private IP address. Assigned to the tunnel interface, or use the loopback (if 7.3 or higher) and borrow the IP address of the loopback.

RobIngram_0-1719331966407.png

 

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎06-25-2024 09:48 AM

Ok yea just still on 7.0.6 so will just create a VTI, its source will be Outside int, and will assign the tunnel mode IP using an unused IP from an existing internal private subnet which already has NAT statements created.

0 Helpful
Customers Also Viewed These Support Documents