Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
4
Helpful
6
Replies

routing FTD internal data interface traffic across VPN

Go to solution
tato386
Level 6
Level 6

‎12-20-2024 02:25 PM

I have site to site VPN created between two FTDs and each FTD has multiple internal interfaces and private subnets configured. All subnets are configured on the VPN and all endpoints can talk to each other. However, I cannot get traffic across the VPN to/from the FTD interface IPs themselves. For example, I have configured the FTDs to allow SSH and ICMP from all subnets whether local or remote. From local subnets I can SSH and ping but not from IPs on the other side of the VPN. My guess is that the FTD is not sourcing return traffic from its private IPs but rather the public IP it uses to establish the VPN. There is an option in FTD routing to make a route "tunneled" which seems interesting but the explanation in the help pages does not make sense to me. Thoughts?

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎12-20-2024 02:42 PM

Tunneled is use for RA VPN not for S2S.

For traffic to-box from fmc platform settings do you use outside as interface for ssh/telent??

MHM

Go to solution
tato386
Level 6
Level 6

‎12-27-2024 01:26 PM

@MHM Cisco World thanks for clearing the use of "tunneled route" up for me.

Using platform settings policy I have enabled ICMP and SSH on all interfaces as long as traffic is coming from an inside network but I can only ping and SSH to the FTD when I source from an IP on the same subnet as the target FTD internal interface.  The FTD is successfully routing traffic to remote internal subnets for hosts but the unit itself will not respond to traffic from these same networks.  I suspect that the FTD is using its Internet/public interface and IP to respond to remote internal/VPN subnets instead of sourcing from the internal interfaces that was the target of the ping and/or SSH client connection.

Go to solution
MHM Cisco World
VIP
VIP
In response to tato386

‎12-27-2024 01:35 PM

If you use inside and try from subnet connect to outside sure traffic will drop' ftd and old asa not accept traffic from not direct connect subnet (note here we talking about to-box traffic not passthrough traffic)

MHM

Go to solution
tato386
Level 6
Level 6
In response to MHM Cisco World

‎01-03-2025 06:03 AM

@MHM Cisco World I am definitely talking about box-to-box.  Something like this:

desktop-A<->inside:FTD-A:outside<--VPN-->outside:FTD-B:inside<desktop-B>

desktop-A subnet and desktop-B subnets are connected via no-NAT VPN with no restrictions between them so desktop-A to desktop-B have full IP connectivity.  However, desktop-A cannot ping or SSH to FTD-B inside interfaces and vice-versa with desktop-B to FTD-A private interfaces.  Both FTDs have platform policy that allow ICMP and SSH from any private subnet to any inside interface.

0 Helpful

Go to solution
tato386
Level 6
Level 6
In response to MHM Cisco World

‎01-03-2025 01:08 PM

thank you

0 Helpful
Customers Also Viewed These Support Documents