Cisco FTD Site to Site VPN

KB ID 0001681

Problem

While working out how to create a VPN on the Cisco FTD (Firepower 1010), I thought I might as well set it up to the Cisco ASA that I have in the Data Center on my test network. This is what I’m connecting;

VPN FTD to Cisco ASA

 

Create Site to Site VPN On Cisco FTD (using FDM)

Using a web browser connect to the devices FDM > Site to Site VPN > View Configuration.

Cisco FTD Site to Site VPN from FDM

Create Site-to-site-connection.

FDM VPN Wizard Cisco

  • Connection profile name: Something sensible like VPN-To-HQ or VPN-To-Datacentre.
  • Local VPN Access Interface: outside.
  • Local Network: Crete new network.

FDM on FTD VPN Wizard Cisco

  • Name: This will be your local LAN so give it a recognisable name.
  • Type: Network
  • Network: Your local (behind the FTD) network i.e. 10.254.254.0/24
  • OK.

FDM VPN add Object

  • Remote IP Address: The public IP address of the other device (in my case the Cisco ASA).
  • Remote Network: Add
  • Crete new network

FDM VPN add Peer Detsils

  • Name: This will be the remote sites LAN so give it a recognisable name.
  • Type: Network
  • Network: The remote (behind the ASA) network i.e. 192.168.100.0/24
  • OK.

 

FDM VPN add Peer Object

Check the settings are correct > Next.

Cisco FTD 1010 VPN

I’m using IKEv2 (if your ASA is older than version 8.4 you will need to use IKEv1) > IKE Version 2 Globally Applied > Edit.

Cisco FTD IKEv2 VPN

Create new IKE Policy.

Cisco FTD IKEv2 Policy

 

  • Priority: 1
  • Name: S2S-IKEv2-Policy
  • Encryption: DES Really! (Why is that the default?) Remove DES and replace with AES256

I leave the rest of the settings as they are some people might not like Sha1 if you want to change it to sha254 for example then do so, but remember to change it on the IKEv2 policy on the ASA also. Also DON’T CONFUSE PRF with PFS, we will get the chance to set PFS later. > OK.

Cisco FTD IKEv2 AES256 Policy

IPsec Proposal > Edit.

Cisco FTD |PSec Policy

Add in AES-SHA > OK. 

Cisco FTD |PSec SHA

Enter (and confirm) the local and remote Pre-Shared Key (I usually set these the same, but they don’t have to be). Scroll down.

Cisco FTD VPN Shared Secret

  • Nat Exempt: inside
  • Diffie Helman Group for Perfect Forward Secrecy (PFS): Leave disabled.
  • Next

Cisco FTD VPN NAT Exemption

Review the settings > Finish.

Cisco FTD VPN Sumary

FTD VPN One Way VPN Traffic Warning!

At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. This confused me for a while, I could ping from my house to my servers at the DC but they could not ping me!

Resolution: What you need to do is (on the FTD) ALLOW traffic ‘inbound’ on the outside interface, for the subnet behind the ASA. (Yes that’s bobbins I know, it should do that for you, but at the moment it does not).

Policies > Access Control > Add.

Cisco FTD Allow VPN Traffic

  • Title: Allow-VPN-Traffic
  • Source Zone: outside_zone
  • Source Networks: The Network behind the ASA
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks: ANY
  • Destination Ports/Protocols: ANY
  • OK

Cisco FTD VPN One Way

Pending changes > Deploy Now.

Cisco FTD VPN Save and Deploy

It can take a while to deploy, I recheck pending changes, and wait until it says it’s finished.

Cisco FTD VPN Check Deployment

Create ASA Config for VPN to Cisco FTD

I’ve covered Cisco ASA IKEv2 VPN configs elsewhere, so I’ll just post the config here and you can change the details (in red) and copy and paste it into your ASA.

object network OBJ-SITE-A
 subnet 192.168.100.0 255.255.255.0
object network OBJ-SITE-B
 subnet 10.254.254.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco123
!

Troubleshooting and debugging FTD VPN

All the traditional command line tools we used to use for VPN troubleshooting are available to you, you will need to SSH into the ‘Management Port’ before you can use them though! Or you can simply do the debugging and troubleshooting on the ASA!

Troubleshoot phase 1 (IKE)

show crypto isa
debug crypto ikev2 protocol

Troubleshoot phase 2 (IPSec)

show crypto ipsec sa
debug crypto ipsec 255

Related Articles, References, Credits, or External Links

NA

https://www.pete

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *