Solved: Re: SITE-SITE VPN

fmugambi · ‎10-18-2023

Hello,

Is it possible to do a site to site VPN between two FTDs managed by same FMC?

if yes, for each do you choose remote device as "Extranet" or its "Real name" under the drop down - say under Node B: - Device Name, - Device :-.

Your assistance will be appreciated.

Thank you in advance.

MHM Cisco World · ‎10-19-2023

Choose Sysop permit-vpn

If this op. Not appear then config acl to permit traffic of vpn.

View solution in original post

MHM Cisco World · ‎10-18-2023

Sure you can'

For device name select device name not extranet

This from Cisco doc.

""Node B is an ASA. Devices that are not managed by the FMC are considered Extranet.""

fmugambi · ‎10-18-2023

I gave the actual names, got "duplicate error". why would this be so?

fmugambi · ‎10-18-2023

but when i use extranet, deployment goes through, but tunnels dont come up.

MHM Cisco World · ‎10-18-2023

Ok'

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

Follow this guide

' when you edit endpoint dont select extranet select ftdname of peer.

fmugambi · ‎10-18-2023

fmugambi · ‎10-18-2023

MHM Cisco World · ‎10-18-2023

There are two fields

Device here you select ftd

Device name here you add ftdname of peer

fmugambi · ‎10-18-2023

Just have the Device Name, where you either choose devices managed by FMC or extranet devices.

fmugambi · ‎10-18-2023

Here;

fmugambi · ‎10-18-2023

Note in my case, my both Nodes are managed by same FMC.

MHM Cisco World · ‎10-18-2023

both node mgnt by same FMC that why we must not select extranet.

Now your config is correct but I think fmc see two vpn.

Can you start from zero and add new topolgy name and as we agree both select ftd (name in device field)

fmugambi · ‎10-18-2023

I deleted one topology, i no longer get the error;

ans surprisingly when i do sh run | i [Both peerIp addresses] am getting entries showing me presence of vpn tunnel configured, with crypto maps and acls well attached. but still one Topology. yet i have devices, i expected to have two topologies each respective of each device, having respective endpoints and protected networks.

fmugambi · ‎10-18-2023

should i do enable Access control for VPN traffic, or sysop permit-vpn option) ?

MHM Cisco World · ‎10-19-2023

Choose Sysop permit-vpn

If this op. Not appear then config acl to permit traffic of vpn.