Cisco FTD Site to Site VPN

KB ID 0001681

Problem

While working out how to create a VPN on the Cisco FTD (Firepower 1010), I thought I might as well set it up to the Cisco ASA that I have in the Data Center on my test network. This is what I’m connecting;

VPN FTD to Cisco ASA

 

Create Site to Site VPN On Cisco FTD (using FDM)

Using a web browser connect to the devices FDM > Site to Site VPN > View Configuration.

Cisco FTD Site to Site VPN from FDM

Create Site-to-site-connection.

FDM VPN Wizard Cisco

  • Connection profile name: Something sensible like VPN-To-HQ or VPN-To-Datacentre.
  • Local VPN Access Interface: outside.
  • Local Network: Crete new network.

FDM on FTD VPN Wizard Cisco

  • Name: This will be your local LAN so give it a recognisable name.
  • Type: Network
  • Network: Your local (behind the FTD) network i.e. 10.254.254.0/24
  • OK.

FDM VPN add Object

  • Remote IP Address: The public IP address of the other device (in my case the Cisco ASA).
  • Remote Network: Add
  • Crete new network

FDM VPN add Peer Detsils

  • Name: This will be the remote sites LAN so give it a recognisable name.
  • Type: Network
  • Network: The remote (behind the ASA) network i.e. 192.168.100.0/24
  • OK.

 

FDM VPN add Peer Object

Check the settings are correct > Next.

Cisco FTD 1010 VPN

I’m using IKEv2 (if your ASA is older than version 8.4 you will need to use IKEv1) > IKE Version 2 Globally Applied > Edit.

Cisco FTD IKEv2 VPN

Create new IKE Policy.

Cisco FTD IKEv2 Policy

 

  • Priority: 1
  • Name: S2S-IKEv2-Policy
  • Encryption: DES Really! (Why is that the default?) Remove DES and replace with AES256

I leave the rest of the settings as they are some people might not like Sha1 if you want to change it to sha254 for example then do so, but remember to change it on the IKEv2 policy on the ASA also. Also DON’T CONFUSE PRF with PFS, we will get the chance to set PFS later. > OK.

Cisco FTD IKEv2 AES256 Policy

IPsec Proposal > Edit.

Cisco FTD |PSec Policy

Add in AES-SHA > OK. 

Cisco FTD |PSec SHA

Enter (and confirm) the local and remote Pre-Shared Key (I usually set these the same, but they don’t have to be). Scroll down.

Cisco FTD VPN Shared Secret

  • Nat Exempt: inside
  • Diffie Helman Group for Perfect Forward Secrecy (PFS): Leave disabled.
  • Next

Cisco FTD VPN NAT Exemption

Review the settings > Finish.

Cisco FTD VPN Sumary

FTD VPN One Way VPN Traffic Warning!

At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. This confused me for a while, I could ping from my house to my servers at the DC but they could not ping me!

Resolution: What you need to do is (on the FTD) ALLOW traffic ‘inbound’ on the outside interface, for the subnet behind the ASA. (Yes that’s bobbins I know, it should do that for you, but at the moment it does not).

Policies > Access Control > Add.

Cisco FTD Allow VPN Traffic

  • Title: Allow-VPN-Traffic
  • Source Zone: outside_zone
  • Source Networks: The Network behind the ASA
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks: ANY
  • Destination Ports/Protocols: ANY
  • OK

Cisco FTD VPN One Way

Pending changes > Deploy Now.

Cisco FTD VPN Save and Deploy

It can take a while to deploy, I recheck pending changes, and wait until it says it’s finished.

Cisco FTD VPN Check Deployment

Create ASA Config for VPN to Cisco FTD

I’ve covered Cisco ASA IKEv2 VPN configs elsewhere, so I’ll just post the config here and you can change the details (in red) and copy and paste it into your ASA.

object network OBJ-SITE-A
 subnet 192.168.100.0 255.255.255.0
object network OBJ-SITE-B
 subnet 10.254.254.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco123
!

Troubleshooting and debugging FTD VPN

All the traditional command line tools we used to use for VPN troubleshooting are available to you, you will need to SSH into the ‘Management Port’ before you can use them though! Or you can simply do the debugging and troubleshooting on the ASA!

Troubleshoot phase 1 (IKE)

show crypto isa
debug crypto ikev2 protocol

Troubleshoot phase 2 (IPSec)

show crypto ipsec sa
debug crypto ipsec 255

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

9 Comments

  1. Hi Petenelive,

    I find your site super useful for finding solutions not found elsewhere.

    I am on your tutorial “Cisco FTD Site to Site VPN” and I am blocked at the level of “IKE Policy – Additional Options”. You selected “inside (Vlan1)”, but you don’t show how you created this section. Can you help me ?

    Thank you so much
    Hacen

    Post a Reply
  2. Pete,
    As always, great and informative help guide. You’re a great resource for a newby. Thank you.
    My question is this, once the Tunnel is built, is there a way to reset the tunnel through the FMC?

    The ASA makes this very easy with the “Logout” option inside the Monitoring section of the ASA but the FMC doesn’t seem to have the same kind of easy. I don’t have control of the other side of the tunnel or I would do something like that in my situation. Where I only have the FMC and need to bounce or reset the tunnel I’m not finding a way to do that.

    Thank you.
    Dave

    Post a Reply
  3. My VPN connection is up, but for some reason, from the FTD network, I can only ping the ASA inside interface; I can’t access or ping anything but the ASA IP? From the ASA network, I can access the FTD and everything on this network?

    Post a Reply
    • These symptoms usually indicate a NAT problem?

      P

      Post a Reply
  4. Hi Pete,
    is it possible to use asdm for site to site vpn on fpr1010?

    i had setup one between fpr1010 and asa5506 but can’t seem to ping on either sides and if i do packettracing, the asa side worked and it brings up the tunnels but on the fpr1010, the packet tracer keeps pointing to the access list which i compared with the asa and all checked out… can you recommend something to check? i have re done the tunnels twice same issue. thank you so much.
    herman

    Post a Reply
    • >>is it possible to use asdm for site to site vpn on fpr1010?

      If it’s running ASA code? – the FPR can run FDM or ASA?

      Post a Reply
  5. Pete,
    Thank you for this article. You have saved me more time than I care to admit and again here you do it again. I missed one step in allowing the VPN Traffic from the outside and here you had it laid out easy to follow. Thanks for writing these guides. You are doing a good work.

    Cheers.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *