08-08-2024 10:49 PM
my company has a cisco firepower 1120. i have to configure site to site VPN with other company. i gave a information from other company. my device, the firepower i configure from the FDM. on internet, i found that the FDM supports just route based site to site VPN. other company gave me information that they have not possibility configuring device with route based site to site VPN, just with policy based site to site VPN. i must configure policy based site to site VPN. on internet, i found that exists template for policy based site to site VPN for configuring. can we give me some information about this? one more question, i must configure policy based site to site VPN from the CLI. which terminal do I use to configure this option? is it system support diagnostic-cli?
Solved! Go to Solution.
08-12-2024 04:34 AM
Yes this it' you see type is manual not auto' you need to change NAT type and check
MHM
08-12-2024 04:39 AM - edited 08-12-2024 04:39 AM
08-08-2024 11:08 PM
@gogi99 FDM certainly does support policy based VPN - This guide demonstrates how to setup a VPN on FDM (complete the FDM section and ignore the ASA section at the end) https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215513-configure-site-to-site-vpn-on-ftd-manage.html
If using FDM you must configure the VPN and the vast majority of actual configuration using the GUI. The CLI is primarily used for inital setup of the mgmt interfaces and troubleshooting.
08-08-2024 11:16 PM
i must configure policy based site to site VPN on my device. do you have any advice how to configure it, due to synchronization with another company's device?
08-08-2024 11:21 PM - edited 08-08-2024 11:29 PM
@gogi99 the guide I provided above is an example of configuring a policy based VPN on FDM, follow the steps in the FDM section of the guide.
You need to define your local network(s) and the peers remote network(s), this is referred to as protected networks, define the peers IKE/IPSec policy/proposals, configure pre-shared key or certificate. And create a NAT exemption rule.
08-08-2024 11:46 PM - edited 08-08-2024 11:47 PM
i created my local network, i have ip of remote peer, remote networks, i defined IKE/IPSec policy/proposal, pre-shared key. from other company i receive instructions
OpenShift (=11.115.55.0/24) enters the encryption domain from our side. We would kindly ask you to present your LAN side through the IP range that the Office will allocate to you (=11.4.23.0/24), so that it is routable within our data center.
and
The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic. From the side of your company, a symmetrical definition is needed.
i must create NAT, how i do this from FDM?
08-08-2024 11:52 PM
@gogi99 11.4.23.0/24 should be defined as the local network that defines your protected networks in the VPN configuration.
You would need to create manual NAT rule with the original source of your real/actual local networks, the original destination of the remote network (11.115.55.0/25) with a translated source of 11.4.23.0/24 and the translated destination still as (11.115.55.0/25).
08-09-2024 01:06 AM
i created Nat per your instructions, with name eUprava_NAT, but nothing. i tested configuration with command
show running-config crypto map
crypto map s2sCryptoMap 1 match address |s2sAcl|091dd7e7-5575-11ef-85f5-2fcd82cd34ff
crypto map s2sCryptoMap 1 set pfs group24
crypto map s2sCryptoMap 1 set peer remote_ip
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-256
crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000
crypto map s2sCryptoMap interface outside
in line crypto map s2sCryptoMap 1 match address |s2sAcl|091dd7e7-5575-11ef-85f5-2fcd82cd34ff i see something else from created rule that i made Permit_eUprava
08-09-2024 01:19 AM
@gogi99 you have to generate traffic in order to establish the VPN.
There is no way to determine whether your NAT configuration is correct with the output you provided. Run "show nat detail" to provide the output.
Are the IKEv2/IPSec settings the same as the peer?
Did you define the protected networks correctly? Provide a screenshot of the configuration.
Run some debugs
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
Refer to the guide previously provided, which has some troubleshooting steps
08-09-2024 01:32 AM
i used show nat detail
(any) to (any) source static server_network eUprava destination static OpenShift_Network OpenShift_Network
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.99.0/24, Translated: 11.4.23.0/24
Destination - Origin: 11.115.55.0/24, Translated: 11.115.55.0/24
Are the IKEv2/IPSec settings the same as the peer?
the settings are same.
the screenshot of configuration
Connection Name: eUprava_site-to-site_VPN
VPN Access Interface IP: outside (ip_of my outside interface)
Network: server_network(192.168.99.0/24)
Peer IP Address: ip_remote_peer
Peer Network: OpenShift_Network(11.115.55.0/24), eUprava(11.4.23.0/24)
IKE Version 2
IKE Policy: aes-256-sha256-sha256-24
IPSec Proposal: aes-256-sha-256
Authentication Type: Pre-shared Manual Key
IKE Version 1: Disabled
OTHER
NAT Exempt: —
Diffie-Hellman Group: GROUP24
i used next commands
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
but i dont receive nothing
08-09-2024 01:39 AM
@gogi99 as you have to NAT, 11.4.23.0/24 needs to be configured as your local protected network in the VPN, not the real network 192.168.99.0/24.
Why have you got 11.4.23.0/24 as a remote network? That's is the NAT range the peer whats on your local side of the VPN.
You will only get debug output when you generate traffic to establish the VPN.
08-09-2024 01:58 AM
the network 11.4.23.0/24 is in other company.
i received from other company
The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic. A symmetrical definition is required from your company's side.
08-09-2024 02:07 AM
@gogi99 you said "We would kindly ask you to present your LAN side through the IP range that the Office will allocate to you (=11.4.23.0/24), so that it is routable within our data center." and "The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic". << therefore not your local LAN network 192.168.99.0/24
So therefore I determined they want you to NAT your LAN traffic to that range. The last few messages in regard to the NAT configuration that has been provided to you have been based on that assumption. If you feel that is incorrect, you may wish to contact the 3rd party and clarify exactly what they want you to do.
08-09-2024 02:24 AM
I understood this message to NAT my local network 192.168.99.0/24 in 11.4.23.0/24, but i cannot define interesting traffic.
08-09-2024 02:27 AM
in ACL of VPN use mapped ip not real IP
in NAT dont use interface ANY ANY use interface IN OUT or other nameif you use
MHM
08-09-2024 02:28 AM
@gogi99 please re-read the guide already provided.
Create objects for the protected networks (this is the interesting traffic).
You then reference these objects in the VPN configuration, as the local and remote networks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide