cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1495
Views
2
Helpful
50
Replies

route based, policy based site to site VPN on the firepower 1120

gogi99
Level 1
Level 1

my company has a cisco firepower 1120. i have to configure site to site VPN with other company. i gave a information from other company. my device, the firepower i configure from the FDM. on internet, i found that the FDM supports just route based site to site VPN. other company gave me information that they have not possibility configuring device with route based site to site VPN, just with policy based site to site VPN. i must configure policy based site to site VPN. on internet, i found that exists template for policy based site to site VPN for configuring. can we give me some information about this? one more question, i must configure policy based site to site VPN from the CLI. which terminal do I use to configure this option? is it system support diagnostic-cli?

2 Accepted Solutions

Accepted Solutions

Yes this it' you see type is manual not auto' you need to change NAT type and check

MHM

View solution in original post

add new one with Type auto after that disable this one.

MHM

View solution in original post

50 Replies 50

@gogi99 FDM certainly does support policy based VPN - This guide demonstrates how to setup a VPN on FDM (complete the FDM section and ignore the ASA section at the end) https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215513-configure-site-to-site-vpn-on-ftd-manage.html

If using FDM you must configure the VPN and the vast majority of actual configuration using the GUI. The CLI is primarily used for inital setup of the mgmt interfaces and troubleshooting.

i must configure policy based site to site VPN on my device. do you have any advice how to configure it, due to synchronization with another company's device?

@gogi99 the guide I provided above is an example of configuring a policy based VPN on FDM, follow the steps in the FDM section of the guide.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215513-configure-site-to-site-vpn-on-ftd-manage.html

You need to define your local network(s) and the peers remote network(s), this is referred to as protected networks, define the peers IKE/IPSec policy/proposals, configure pre-shared key or certificate. And create a NAT exemption rule.

i created my local network, i have ip of remote peer, remote networks, i defined IKE/IPSec policy/proposal, pre-shared key. from other company i receive instructions 

OpenShift (=11.115.55.0/24) enters the encryption domain from our side. We would kindly ask you to present your LAN side through the IP range that the Office will allocate to you (=11.4.23.0/24), so that it is routable within our data center.

and

The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic. From the side of your company, a symmetrical definition is needed.

i must create NAT, how i do this from FDM?

 

@gogi99 11.4.23.0/24 should be defined as the local network that defines your protected networks in the VPN configuration.

You would need to create manual NAT rule with the original source of your real/actual local networks, the original destination of the remote network (11.115.55.0/25) with a translated source of 11.4.23.0/24 and the translated destination still as (11.115.55.0/25).

i created Nat per your instructions, with name eUprava_NAT, but nothing. i tested configuration with command 

show running-config crypto map
crypto map s2sCryptoMap 1 match address |s2sAcl|091dd7e7-5575-11ef-85f5-2fcd82cd34ff
crypto map s2sCryptoMap 1 set pfs group24
crypto map s2sCryptoMap 1 set peer remote_ip
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-256
crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000
crypto map s2sCryptoMap interface outside

in line crypto map s2sCryptoMap 1 match address |s2sAcl|091dd7e7-5575-11ef-85f5-2fcd82cd34ff i see something else from created rule that i made Permit_eUprava

@gogi99 you have to generate traffic in order to establish the VPN.

There is no way to determine whether your NAT configuration is correct with the output you provided. Run "show nat detail" to provide the output.

Are the IKEv2/IPSec settings the same as the peer?

Did you define the protected networks correctly? Provide a screenshot of the configuration.

Run some debugs

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

Refer to the guide previously provided, which has some troubleshooting steps

i used  show nat detail 

(any) to (any) source static server_network eUprava destination static OpenShift_Network OpenShift_Network
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.99.0/24, Translated: 11.4.23.0/24
Destination - Origin: 11.115.55.0/24, Translated: 11.115.55.0/24

Are the IKEv2/IPSec settings the same as the peer?

the settings are same.

the screenshot of configuration

Connection Name: eUprava_site-to-site_VPN

VPN Access Interface IP: outside (ip_of my outside interface)
Network: server_network(192.168.99.0/24)

Peer IP Address: ip_remote_peer
Peer Network: OpenShift_Network(11.115.55.0/24), eUprava(11.4.23.0/24)

IKE Version 2
IKE Policy: aes-256-sha256-sha256-24
IPSec Proposal: aes-256-sha-256
Authentication Type: Pre-shared Manual Key

IKE Version 1: Disabled

OTHER
NAT Exempt: —

Diffie-Hellman Group: GROUP24

i used next commands

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

but i dont receive nothing

 

 

@gogi99 as you have to NAT, 11.4.23.0/24 needs to be configured as your local protected network in the VPN, not the real network 192.168.99.0/24.

Why have you got 11.4.23.0/24 as a remote network? That's is the NAT range the peer whats on your local side of the VPN.

You will only get debug output when you generate traffic to establish the VPN.

the network 11.4.23.0/24 is in other company.

i received from other company

The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic. A symmetrical definition is required from your company's side.

@gogi99 you said "We would kindly ask you to present your LAN side through the IP range that the Office will allocate to you (=11.4.23.0/24), so that it is routable within our data center." and "The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic". << therefore not your local LAN network 192.168.99.0/24

So therefore I determined they want you to NAT your LAN traffic to that range. The last few messages in regard to the NAT configuration that has been provided to you have been based on that assumption. If you feel that is incorrect, you may wish to contact the 3rd party and clarify exactly what they want you to do.

I understood this message to NAT my local network 192.168.99.0/24 in 11.4.23.0/24, but i cannot define interesting  traffic.

 

in ACL of VPN use mapped ip not real IP 
in NAT dont use interface ANY ANY use interface IN OUT or other nameif you use 

MHM 

@gogi99 please re-read the guide already provided.

Create objects for the protected networks (this is the interesting traffic).

You then reference these objects in the VPN configuration, as the local and remote networks.

RobIngram_0-1723195660541.png