Cisco FTD Site to Site VPN

KB ID 0001681


While working out how to create a VPN on the Cisco FTD (Firepower 1010), I thought I might as well set it up to the Cisco ASA that I have in the Data Center on my test network. This is what I’m connecting;

VPN FTD to Cisco ASA


Create Site to Site VPN On Cisco FTD (using FDM)

Using a web browser connect to the devices FDM > Site to Site VPN > View Configuration.

Cisco FTD Site to Site VPN from FDM

Create Site-to-site-connection.

FDM VPN Wizard Cisco

  • Connection profile name: Something sensible like VPN-To-HQ or VPN-To-Datacentre.
  • Local VPN Access Interface: outside.
  • Local Network: Crete new network.

FDM on FTD VPN Wizard Cisco

  • Name: This will be your local LAN so give it a recognisable name.
  • Type: Network
  • Network: Your local (behind the FTD) network i.e.
  • OK.

FDM VPN add Object

  • Remote IP Address: The public IP address of the other device (in my case the Cisco ASA).
  • Remote Network: Add
  • Crete new network

FDM VPN add Peer Detsils

  • Name: This will be the remote sites LAN so give it a recognisable name.
  • Type: Network
  • Network: The remote (behind the ASA) network i.e.
  • OK.


FDM VPN add Peer Object

Check the settings are correct > Next.

Cisco FTD 1010 VPN

I’m using IKEv2 (if your ASA is older than version 8.4 you will need to use IKEv1) > IKE Version 2 Globally Applied > Edit.


Create new IKE Policy.

Cisco FTD IKEv2 Policy


  • Priority: 1
  • Name: S2S-IKEv2-Policy
  • Encryption: DES Really! (Why is that the default?) Remove DES and replace with AES256

I leave the rest of the settings as they are some people might not like Sha1 if you want to change it to sha254 for example then do so, but remember to change it on the IKEv2 policy on the ASA also. Also DON’T CONFUSE PRF with PFS, we will get the chance to set PFS later. > OK.

Cisco FTD IKEv2 AES256 Policy

IPsec Proposal > Edit.

Cisco FTD |PSec Policy

Add in AES-SHA > OK. 

Cisco FTD |PSec SHA

Enter (and confirm) the local and remote Pre-Shared Key (I usually set these the same, but they don’t have to be). Scroll down.

Cisco FTD VPN Shared Secret

  • Nat Exempt: inside
  • Diffie Helman Group for Perfect Forward Secrecy (PFS): Leave disabled.
  • Next

Cisco FTD VPN NAT Exemption

Review the settings > Finish.

Cisco FTD VPN Sumary

FTD VPN One Way VPN Traffic Warning!

At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. This confused me for a while, I could ping from my house to my servers at the DC but they could not ping me!

Resolution: What you need to do is (on the FTD) ALLOW traffic ‘inbound’ on the outside interface, for the subnet behind the ASA. (Yes that’s bobbins I know, it should do that for you, but at the moment it does not).

Policies > Access Control > Add.

Cisco FTD Allow VPN Traffic

  • Title: Allow-VPN-Traffic
  • Source Zone: outside_zone
  • Source Networks: The Network behind the ASA
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks: ANY
  • Destination Ports/Protocols: ANY
  • OK

Cisco FTD VPN One Way

Pending changes > Deploy Now.

Cisco FTD VPN Save and Deploy

It can take a while to deploy, I recheck pending changes, and wait until it says it’s finished.

Cisco FTD VPN Check Deployment

Create ASA Config for VPN to Cisco FTD

I’ve covered Cisco ASA IKEv2 VPN configs elsewhere, so I’ll just post the config here and you can change the details (in red) and copy and paste it into your ASA.

object network OBJ-SITE-A
object network OBJ-SITE-B
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco123

Troubleshooting and debugging FTD VPN

All the traditional command line tools we used to use for VPN troubleshooting are available to you, you will need to SSH into the ‘Management Port’ before you can use them though! Or you can simply do the debugging and troubleshooting on the ASA!

Troubleshoot phase 1 (IKE)

show crypto isa
debug crypto ikev2 protocol

Troubleshoot phase 2 (IPSec)

show crypto ipsec sa
debug crypto ipsec 255

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Hi Petenelive,

    I find your site super useful for finding solutions not found elsewhere.

    I am on your tutorial “Cisco FTD Site to Site VPN” and I am blocked at the level of “IKE Policy – Additional Options”. You selected “inside (Vlan1)”, but you don’t show how you created this section. Can you help me ?

    Thank you so much

    Post a Reply
  2. Pete,
    As always, great and informative help guide. You’re a great resource for a newby. Thank you.
    My question is this, once the Tunnel is built, is there a way to reset the tunnel through the FMC?

    The ASA makes this very easy with the “Logout” option inside the Monitoring section of the ASA but the FMC doesn’t seem to have the same kind of easy. I don’t have control of the other side of the tunnel or I would do something like that in my situation. Where I only have the FMC and need to bounce or reset the tunnel I’m not finding a way to do that.

    Thank you.

    Post a Reply
  3. My VPN connection is up, but for some reason, from the FTD network, I can only ping the ASA inside interface; I can’t access or ping anything but the ASA IP? From the ASA network, I can access the FTD and everything on this network?

    Post a Reply
    • These symptoms usually indicate a NAT problem?


      Post a Reply

Submit a Comment

Your email address will not be published.