Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2301
Views
0
Helpful
7
Replies

VPN Site-To-Site From Firepower 2110 with FDM to Azure

julioegb
Level 1
Level 1

‎10-13-2020 05:43 PM - edited ‎10-13-2020 06:03 PM

Hi Cisco Community friends


I'm having trouble setting up a VPN with an FTD 2110 with FDM to Azure. I wanted to ask if anyone has any documentation, links or any recommendations.

 

I was reviewing the attached document, only that it is for the configuration in FMC, I also used the information in this link to configure the encryption and authentication parameters:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/214109-configure-asa-ipsec-vti-connection-to-az.html

 

Regards,

JG

Labels:
Preview file
921 KB
0 Helpful
7 Replies 7

Mohammed al Baqari
Level 11
Level 11

‎10-13-2020 06:50 PM

It doesn't make a difference whether you set it using fdm or fmc. It should
work.

Login to ftd cli and go to system support diag. Then run debug crypto ikev2
or v1 depending on your setup.

***** please remember to rate useful posts
0 Helpful

Aref Alsouqi
VIP
VIP

‎10-14-2020 01:45 AM

What is the issue you are struggling with?

0 Helpful

julioegb
Level 1
Level 1
In response to Aref Alsouqi

‎10-14-2020 09:19 AM

Thanks Aref. Yesterday I did tests, phase 1 never lifted. I did tests with packet-tracer and ping tcp doesn´t show difference in phase 1. I'm using ikev2.

 

Regards,

JG

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to julioegb

‎10-14-2020 11:18 AM

You welcome. I would enable debug crypto ikev2 protocol 127 and check the output, that might help you spotting the issue straightaway.

0 Helpful

julioegb
Level 1
Level 1
In response to Aref Alsouqi

‎10-14-2020 01:02 PM

Hi

 

I'm doing packet-tracer to test traffic flow. In others implementations with ASA and IKEv2 I was able to see the VPN phase in the packet-tracer flow even if the VPN was down. Right now I can't see the VPN phase in the packet-tracer for the VPN traffic, I'm in version 6.2.1, I'm going to upgrade the FW first.

 

Regards,

JG

0 Helpful

Aref Alsouqi
VIP
VIP
In response to julioegb

‎10-14-2020 02:12 PM

Log into the FTD via CLI, issue the command "system support diagnostic-cli", then type enable and hit enter with no password, this will take you to kind of the old ASA CLI. From there please do all the show commands related to the VPN configuration and post the sanitized output for review. Example:

show run crypto map

show run crypto ikev2

show run nat

show run access-list <the-crypto-ACL>

show run crypto ipsec

show run crypto ikev2 | i enable

0 Helpful

Kevin.berlin
Level 1
Level 1

‎10-15-2020 06:28 AM

Check out these resources:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

 

I found this video helpful for understanding the steps which I was able to configure for my environment

https://www.youtube.com/watch?v=dA_ND-hOHG8&t=594s&ab_channel=CloudGuard

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents