Re: Gateway for tunnel static route on 1210CE FTD

Brunetta7 · ‎04-15-2025

Good morning everyone,
I have a Cisco 1210CE FTD secure firewall with software 7.6 and
I'm trying to add a VPN based on a LAN-LAN route and I would need to create a static route
to route traffic in the VPN only if the destination is for example the network 192.168. 100.0/29
while all the other traffic must be routed to the ISP.
I'm confused about the configuration of the new static route:
if I understood correctly in the interface field I have to indicate the tunnel,
in the network field I enter 192.168. 100.0/29, but in the gateway field what do I have to enter?
I come from the Juniper world, where to configure the tunnel path it was enough to enter the destination network and the interface to use,
but on Cisco it is mandatory to also enter the gateway.
Can someone give me an example, please?
Thanks everyone
Have a nice day

Rob Ingram · ‎04-15-2025

@Brunetta7 are you trying to configure a route based VPN with a VTI or a policy based VPN?

If a route based VPN, the next hop would be the tunnel IP address of the peer. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html

If a policy based VPN you just need to ensure the traffic to the remote destination is routed to the FTD's outside interface (so it may just be routed via the 0.0.0.0/0.0.0.0 default route), if the traffic matches the network defined as a protected network, it will be encrypted and routed over the VPN.

MHM Cisco World · ‎04-18-2025

Which VPN you use

Policy or route based VPN ?

MHM

Brunetta7 · ‎04-18-2025

Good morning everyone,

sorry for the delay but before answering I did several tests.

The vpn is a l2l route based.

I followed the wizard and created the tunnel, the vpn, the static route and the access control rule.

The vnp seems to connect regularly, doing show crypto ikev2 sa I see it active and also show crypto ipsec sa everything seems regular,

except that I don't see any traffic.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

It seems like a routing problem that fails to route traffic in the tunnel. Yet the static route seems fine:

interface tunnel0

network 192.168.74.0/27 (the remote network)

and as a gateway I did several tests but in the end I put the public ip address of the remote peer.

I read an answer that when you create a tunnel the gateway is asked but in reality it is not used so it is possible to put any address outside the external interface.

The command show route get this: S 192.168.74.0 255.255.255.224 [1/0] via 194.xxx.126.xxx, tunnel0

Is this correct?

It doesn't seem so to me, the traffic is not routed in the tunnel,

do you have any suggestions?

Thanks

Giuseppe

MHM Cisco World · ‎04-18-2025

try ping from remote peer, check the decrypt count, it seem to VTI is not work at all

MHM

Brunetta7 · ‎04-28-2025

Good morning everyone,
sorry for the delay but I had to wait for the remote provider to be available.
In the end I opted for a lan to lan policy based VNP configuration.
The main problem that prevented the VPN from working correctly was that the remote provider had imposed
a specific range of IP addresses to use as a local selector and this did not correspond with the addressing of my local network.
I managed to solve the problem by creating a static NAT inside section 1 that translated the original source from my network
to the IP address accepted by the remote peer as a local selector.
Now everything seems to work correctly.
Thanks for the time you dedicated to me.
Have a nice day

Giuseppe