Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
7
Helpful
9
Replies

Creating a S2S VPN - protected networks via IP extended ACL

Go to solution
Ditter
Level 3
Level 3

‎04-28-2024 08:57 AM - edited ‎04-28-2024 08:59 AM

Hi to all,

i was trying to find why the the vpn between an FTD and a cisco router could not come up and concluded to this:

When i create the S2S VPN PtP topology if i just add the protected networks, the tunnel does not come up.

For example if behind the FTD is the network 192.168.1.0/24 and behind the extranet cisco is the network 192.168.2.0/24 then  if i add them in the protected network tab the ipsec vpn does not come up.

If instead i create an ACL with source any and destination the 192.168.2.0 and apply it to the FTD and also i create an ext. acl to allow traffic from  192.168.2.0 to any and apply it to the extranet node the tunnel finally comes up.

Any ideas why this is happening?  I miss something but i can not see what it is.

Please refer to png attached in order to understand to what part of the gui i am referring to.

Thanks,

Ditter.

Preview file
31 KB
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎05-12-2024 05:13 AM

To not confuse you, I will ask here

Can you update me about this post

Thanks alot

MHM

View solution in original post

0 Helpful
9 Replies 9

Go to solution
MHM Cisco World
VIP
VIP

‎04-28-2024 09:03 AM - edited ‎04-28-2024 09:53 AM

MHM

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎04-28-2024 09:04 AM - edited ‎04-28-2024 09:54 AM

MHM

Go to solution
Ditter
Level 3
Level 3
In response to MHM Cisco World

‎04-28-2024 09:50 AM

The router is an 2821 with 15.1(4)M10 and the FTD runs 7.2.5.

Btw i am trying with IKE v1 , not IKEv2.

Go to solution
MHM Cisco World
VIP
VIP
In response to Ditter

‎04-28-2024 10:02 AM

In both Side config route for remote LAN' and then use subnet network and check

MHM

Go to solution
Rob Ingram
VIP
VIP

‎04-28-2024 09:53 AM

@Ditter do you have a NAT exemption rule to ensure the traffic between 192.168.1.0/24 and 192.168.2.0/24 is not unintentially translated?

 

Go to solution
Ditter
Level 3
Level 3
In response to Rob Ingram

‎04-28-2024 11:11 AM

@MHM Cisco World 

There is no NAT rule at this phase. I will add it later to the config.

What i noticed is the following:  If i put on the FTD side as protected network the "any" keyword instead of a specific protected subnet it works !  So in this case i have configured in the GUI of the FMC  the protected network for the cisco 2821 side as the 192.168.2.0/24 and any in the FTD side and the VPN started to work.

Thanks,

Ditter.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Ditter

‎04-28-2024 11:15 AM

@Ditter yes I understand what you've configured. If there is no NAT exemption rule traffic will not come from the original source, it will come from the translated IP address, which would match "any" in the crypto ACL.

Apply NAT exemption rule on both sides to make sure traffic is no unintentially translated.

Go to solution
MHM Cisco World
VIP
VIP

‎05-12-2024 05:13 AM

To not confuse you, I will ask here

Can you update me about this post

Thanks alot

MHM

0 Helpful

Go to solution
Ditter
Level 3
Level 3
In response to MHM Cisco World

‎05-12-2024 07:54 AM

Thanks @MHM Cisco World , as the FTD does not permit VPN traffic to pass through the device , static route should be created in FTD in order to permit traffic to be sent to the appropriate interface where the VPN is created.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card