Create a tunnel group for each Outside FTD IP address (Outside1 and Outside2). Create a group-policy allowing the ikev2 protocol:Ĥ. For more reference go to CSCud22276.Įnable IKEv2 on the outside interface of the ASA:Ģ. Create the IKEv2 Policy that defines the same parameters configured on the FTD:ģ. If your ASA is running an older version use IKEv1 as a workaround. Note: For this specific scenario a backup peer will be configured on the IKEv2 crypto map, this feature requires the ASA to be on 9.14.1 or later versions. Navigate to Policies > Access Control > Select the Access Control Policy. In order to add a Rule, click Add Rule, as shown in the image here.Ĭonfigure one rule from Inside to Outside zones (Outside1 and Outside2) allowing the interested traffic from 10.10.10.0/24 to 192.168.100/24.Ĭonfigure another rule from Outside zones (Outside1 and Outside 2) to Inside allowing the interesting traffic from 192.168.100/24 to 10.10.10.0/24. Configure the Access Control Policy for Interesting Trafficġ. With Route-lookup enabled, traffic always follows the Routing table that is controlled through the SLA Monitor. Otherwise, the traffic would hit the first rule and would not follow the failover routes, if route lookup is not enabled, traffic would always be sent with the use of the (first NAT rule) Outside interface. Note: For this scenario, both NAT rules require Route-lookup to be enabled. NAT rules must be the same except for the Destination interface. Select Add Rule and configure a NAT exemption per ISP interface (Outside and Outside2). Navigate to Devices > NAT > NAT Policy and select the Policy that targets the FTD device. Routes must be configured as shown in the image.ġ. No Route tracking field is needed in this section. The Metric value must be higher than the primary default route. Configure the default route for the Outside2 (secondary) interface. Select Add Route, and configure the default route for the Outside (primary) interface with the SLA Monitor information (Created on step 4) on the Route tracking field.Ģ. Navigate to Devices > Routing > Static Route. Configure the Static routes using the SLA Monitorġ. For the SLA Monitor ID* field use the Outside's next-hop IP address. Navigate to Objects > SLA Monitor > Add SLA Monitor. Under Add VPN, click Firepower Threat Defense Device, and configure the SLA Monitor as shown in the image.Ģ. ![]() VPN topologies must be configured as shown in the image.ġ. Note: The VPN configuration using the Outside2 interface must be exactly the same as the Outside VPN topology except for the VPN interface. Navigate to Devices > VPN > Site To Site. Under Add VPN, click Firepower Threat Defense Device, and create the VPN selecting the Outside2 interface. Define the VPN Topology for the Secondary ISP Interfaceġ. For more reference of S2S VPN configuration on FTD go to Note: This document doesn't describe how to configure an S2S VPN from scratch. Navigate to Devices > VPN > Site To Site. Under Add VPN, click Firepower Threat Defense Device, and create the VPN selecting the Outside interface. Define the VPN Topology for the Primary ISP Interfaceġ. Navigate to Devices > Device Management > Interfaces as shown in the image. Define the Primary and Secondary ISP Interfacesġ. ![]() This is the topology used for the example throughout this document:Ĭonfigure the FTD Step 1. When the Primary ISP link goes down, the FTD takes over using the secondary ISP link through the SLA Monitor and the VPN is established. The FTD will use one ISP link at that time to establish the VPN. ![]() In this scenario, the VPN is established from the FTD towards the ASA as the VPN peer with only one ISP interface. If your network is live, make sure that you understand the potential impact of any configuration change. All of the devices used in this document started with a cleared (default) configuration. Note: The information in this document was created from devices in a specific lab environment. ![]() The information in this document is based on these software versions: Experience with Adaptive Security Appliance (ASA) command line.Basic understanding of a Virtual Private Network (VPN).Prerequisites RequirementsĬisco recommends that you have knowledge of these topics: It also explains how to configure Network Address Translation (NAT) exemption for the VPN traffic when there are two ISP's and it requires a seamless failover.Ĭontributed by Amanda Nava, Cisco TAC Engineer. This document describes how to configure crypto map based failover for backup Internet Service Provider (ISP) link using the Internet Protocol Service Level Agreement (IP SLA) track feature on the Firepower Threat Defense (FTD) managed by Firepower Management Center (FMC).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |