Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2727
Views
5
Helpful
5
Replies

FTD IPSec VTI and Source NAT

dilnaazhum
Level 1
Level 1

‎07-19-2022 07:27 AM

Hello,

Please assist me on one of the issues I am facing when performing Source NAT on FTD's IPsec VTI tunnel. Is this supported or am I missing something that needs to be addressed before NAT? Our goal is to achieve load-balancing of inter-region traffic by changing the Source IP address to the FTD's internal interface. Without NAT, we see asymmetric traffic since we have four FTDs (2 in each region) with one iLB in each. 

SourceNAT.PNG

FTD version: 7.1.0 and FMC managed.

Routing protocol: BGP over VTI IPsec tunnel, static route

I've tried all options of NAT (dynamic/static with before/after manual NAT or auto NAT), but I see actual traffic, not translated traffic. Wireshark logs at machines show traffic without translation when packet capture/show xlate shows the correct desired output.

 

 It would be greatly appreciated if you could help.  

 

Thanks and regards

 

Mali

Labels:
5 Replies 5

MHM Cisco World
VIP
VIP

‎07-19-2022 09:49 AM - edited ‎07-19-2022 11:01 AM

see below my comment 

0 Helpful

dilnaazhum
Level 1
Level 1
In response to MHM Cisco World

‎07-19-2022 10:56 AM

Thanks MHM..

I'm using NAT for the first time for traffic traversing through IPSec tunnels on firewalls, since packet encrypt/decrypt on firewalls' VTI interfaces may not recognize NAT configurations, in addition, the VTI interface changes its IP address from its actual source interface. Since I spent couple of days to resolve the issue, I will contact Cisco TAC/TAM.

 

Regards

Mali

0 Helpful

dilnaazhum
Level 1
Level 1
In response to MHM Cisco World

‎07-20-2022 03:37 AM

Thanks MHM..

In any case, I will try the Workaround, since I am experiencing another drawback with the crypto termination interface and real time traffic is within the same security zone.. I will let you know the outcome after I touch production infrastructure, which may take some time.  

Thanks and regards

Mali

0 Helpful

dilnaazhum
Level 1
Level 1
In response to dilnaazhum

‎07-25-2022 08:12 AM

Hello MHM,

In multiple scenarios, I have used S2S vpn with PBR based IPsec, and I have been able to achieve NAT, but unable to achieve full mesh connectivity when I was trying to build IPsec ACLs (same SRC and DST) with both firewalls.

 

Is the IPsec supported to have two peers with same crypto ACL?

 

Capture.PNG

Thanks and regards

 

Mali

0 Helpful
Customers Also Viewed These Support Documents