Solved: Re: FPR1010 site to site vpn with full tunnule

chocolate2395777 · ‎12-17-2023

Hi All

I am reaching out to seek assistance with the configuration of our Cisco FPR101 firewalls in two different locations managed by FMC. Currently, I have successfully set up Site-to-Site VPN between the firewalls, allowing communication between the internal subnets.

However, we are facing a challenge as the VPN is currently restricting traffic to the internal subnets only, and we would like to configure it in a way that allows all traffic to flow through to the destination firewall (Firewall at Location B).

Here are some key details about our current setup:

We have two Cisco FPR101 firewalls located at different sites and managed by cisco FMC.
Each firewall has its own internet access.
The Site-to-Site VPN has been established successfully.
Currently, the VPN allows communication between the internal subnets only.

We would appreciate your guidance on how to configure the firewalls to allow all traffic to pass through the Site-to-Site VPN to the Firewall at Location B.

If possible, could you provide step-by-step instructions or any relevant documentation that will help us achieve this configuration? Additionally, if there are specific access control policies or NAT configurations that need to be adjusted, please provide guidance on those aspects as well.

Thanks

MHM Cisco World · ‎12-17-2023

did you check the guide I share, please make double check
the plus sign click it to add Node A and Node B,
after click it you will open new windows from there you can select the protect LAN
NODE-A is your FPR end and it protect LAN is your Local LAN
NODE-B is remote end and it protect LAN is Remote LAN

MHM

View solution in original post

MHM Cisco World · ‎12-17-2023

All destination via S2S VPN
you can use remote LAN object with 0.0.0.0 (ANY)
MHM

chocolate2395777 · ‎12-17-2023

Thanks for your reply

if it possible to set up a full tunnel site-to-site VPN for one specific subnet in Location A, while leaving the other two subnets unaffected?

MHM Cisco World · ‎12-17-2023

there is LOCAL and REMOTE LAN
config your LOCAL LAN object with one Subnet and config the Remote LAN with 0.0.0.0 or ANY

NOTE:- you must sure that routing is via one interface
MHM

chocolate2395777 · ‎12-17-2023

May i know where are the LOCAL and REMOTE LAN objects?

Is it need to create an object LOCAL and REMOTE LAN and configure the Static Route?

Thanks

MHM Cisco World · ‎12-17-2023

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

Follow this guide to config local and remote LAN

For static route do you have defualt route in your FPR?

MHM

chocolate2395777 · ‎12-17-2023

Yes, both FPR have default route.

MHM Cisco World · ‎12-17-2023

Then no need static route since you have only one ISP and one default route.

MHM

chocolate2395777 · ‎12-17-2023

Thanks, I am still confused about the local and remote LAN.

May i know is it this section about the local and remote LAN objects?

MHM Cisco World · ‎12-17-2023

did you check the guide I share, please make double check
the plus sign click it to add Node A and Node B,
after click it you will open new windows from there you can select the protect LAN
NODE-A is your FPR end and it protect LAN is your Local LAN
NODE-B is remote end and it protect LAN is Remote LAN

MHM