Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
195
Views
0
Helpful
4
Replies

Policy Based IPSEC Tunnel With Firepower

TrashPanda
Level 1
Level 1

‎04-19-2024 02:33 PM

If I am configuring an IKEv1 IPSEC site-to-site VPN with an FTD device running 7.4.1 managed by the FMC and it is policy based, not route based, does the system ACL applied to the device also control the traffic across the tunnel? If so, then what Zone does the traffic show up as? Currently the device has an Inside and Outside zone defined.

 

 

0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎04-19-2024 02:48 PM

Control plane ACL effect only VPN outer header' i.e. it allow or not VPN between FTD and peer

ACP not effect traffic pass via vpn if you enable sysopt permit-vpn' But it effect if disable it.

There is option to tune filter the traffic pass via vpn va traffic filter 

I think it appear in 

Vpn topolgy > advanced > ipsec > filter 

(Fmc)

MHM

0 Helpful

TrashPanda
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2024 03:07 PM

If the ACP is seeing the tunnel traffic then what is the source zone? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to TrashPanda

‎04-19-2024 03:12 PM

if you want to config ACP then you need ACP for two direction
ACP Inside->Outside
ACP Outside->Inside 

MHM

0 Helpful

Marius Gunnerud
VIP
VIP
In response to TrashPanda

‎04-21-2024 02:26 PM

for inbound traffic from the remote VPN site you would have a source zone of the outside interface.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card