cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
4
Helpful
6
Replies

routing FTD internal data interface traffic across VPN

tato386
Level 6
Level 6

I have site to site VPN created between two FTDs and each FTD has multiple internal interfaces and private subnets configured. All subnets are configured on the VPN and all endpoints can talk to each other. However, I cannot get traffic across the VPN to/from the FTD interface IPs themselves. For example, I have configured the FTDs to allow SSH and ICMP from all subnets whether local or remote. From local subnets I can SSH and ping but not from IPs on the other side of the VPN. My guess is that the FTD is not sourcing return traffic from its private IPs but rather the public IP it uses to establish the VPN. There is an option in FTD routing to make a route "tunneled" which seems interesting but the explanation in the help pages does not make sense to me. Thoughts?

Thanks

1 Accepted Solution
6 Replies 6

Tunneled is use for RA VPN not for S2S.

For traffic to-box from fmc platform settings do you use outside as interface for ssh/telent??

MHM

tato386
Level 6
Level 6

@MHM Cisco World thanks for clearing the use of "tunneled route" up for me.

Using platform settings policy I have enabled ICMP and SSH on all interfaces as long as traffic is coming from an inside network but I can only ping and SSH to the FTD when I source from an IP on the same subnet as the target FTD internal interface.  The FTD is successfully routing traffic to remote internal subnets for hosts but the unit itself will not respond to traffic from these same networks.  I suspect that the FTD is using its Internet/public interface and IP to respond to remote internal/VPN subnets instead of sourcing from the internal interfaces that was the target of the ping and/or SSH client connection.

If you use inside and try from subnet connect to outside sure traffic will drop' ftd and old asa not accept traffic from not direct connect subnet (note here we talking about to-box traffic not passthrough traffic)

MHM

@MHM Cisco World I am definitely talking about box-to-box.  Something like this:

desktop-A<->inside:FTD-A:outside<--VPN-->outside:FTD-B:inside<desktop-B>

desktop-A subnet and desktop-B subnets are connected via no-NAT VPN with no restrictions between them so desktop-A to desktop-B have full IP connectivity.  However, desktop-A cannot ping or SSH to FTD-B inside interfaces and vice-versa with desktop-B to FTD-A private interfaces.  Both FTDs have platform policy that allow ICMP and SSH from any private subnet to any inside interface.

thank you