Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
3
Helpful
6
Replies

GCP HA VPN to FTD

Go to solution
Chess Norris
Level 4
Level 4

‎10-09-2024 08:18 AM

Hello,

A customer have a working GCP classic VPN tunnel to a FTD device. The tunnel on the FTD side is policy-based. 

Now the customer need to change from GCP classic to GCP HA and I'm trying to find information on what I need to change on the FTD side? The only thing I could found was this document describing a HA VPN beteen GCP and a Cisco ASA 5506H  https://github.com/GoogleCloudPlatform/community/blob/master/archived/using-ha-vpn-with-cisco-asa/index.md 

I guess I need to change from Policy-based to route-based in FTD, but are there anything else needed?

Thanks

/Chess

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Chess Norris

‎10-09-2024 12:53 PM

@Chess Norris yes static routing is supported. If you were setting up an HA VPN to multi peer hubs, a routing protocol is recommended.

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎10-09-2024 08:25 AM

@Chess Norris it is pretty straightforward from the FTD perspective.

Disable the old policy based VPN configuration, create a new sVTI and configure BGP routing. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html

If you need to peer to different GCP gateways, then you can configure a backup VTI on the FTD.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4

 

 

Go to solution
Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎10-09-2024 12:49 PM - edited ‎10-09-2024 12:50 PM

Thank you, Rob. So BGP it's mandatory? A static route won't work?

Thnaks

/Chess

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Chess Norris

‎10-09-2024 12:53 PM

@Chess Norris yes static routing is supported. If you were setting up an HA VPN to multi peer hubs, a routing protocol is recommended.

Go to solution
Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎10-09-2024 11:39 PM

Thanks again. Will give it a try next week.

/Chess

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎10-09-2024 09:13 AM

Sorry FTD have one WAN and cloud providers two public IP?

MHM

0 Helpful

Go to solution
Chess Norris
Level 4
Level 4

‎10-14-2024 07:18 AM - edited ‎10-14-2024 07:20 AM

@Rob Ingram Just a follow up. I did the configuration today and it worked great. From what I understand after reading the GCP VPN documentation, static route is not suported for GCP H/A tunnels, but I enabled BGP and it worked without any issues. 

This document descibes the VPN setup from both sides. (GCP->ASA)

https://github.com/GoogleCloudPlatform/community/blob/master/archived/using-ha-vpn-with-cisco-asa/index.md#

Cheers

/Chess

Customers Also Viewed These Support Documents