Setting up a site-to-site VPN on Cisco Firepower Threat Defense (FTD) ensures secure communication between two networks over the internet. This guide will walk you through the process of configuring a site-to-site VPN using Cisco FTD and Firepower Management Center (FMC).

Prerequisites

• Both sites have Cisco FTD devices managed by FMC.
• IP addresses of local and remote networks are known.

Step-by-Step Configuration

1. Access Firepower Management Center (FMC)

• Log in to the FMC web interface.

2. Configure Objects

IKE and IPSec Proposals:

1. Navigate to Objects > Object Management.
2. Under VPN, create IKE and IPSec Proposals.
3. Define encryption, authentication, and other parameters for both proposals.

Network Objects:

1. Go to Objects > Object Management > Address.
2. Create network objects for your local and remote networks.

3. Configure Site-to-Site VPN

1. Navigate to Devices > VPN > Site to Site.
2. Click on Add VPN > Firepower Threat Defense Device.

4. Add VPN Topology

1. Topology Name: Provide a name for your VPN topology.
2. Local End: Select the local FTD device.
3. Remote End: Select the remote FTD device.

5. Configure VPN Settings

VPN Policy:

1. Choose IKEv2 or IKEv1 based on your requirements.
2. Select the IKE and IPSec Proposals created earlier.

Endpoints:

1. Define the Peer IP Address for both local and remote ends.
2. Attach the network objects for the local and remote networks.

6. Configure IKE Settings

IKE Phase 1 Settings:

1. Define encryption, authentication, DH group, and lifetime settings.

IKE Phase 2 Settings:

1. Define encryption, authentication, PFS group, and lifetime settings.

7. Configure Advanced Settings (Optional)

NAT Exemptions:

1. Configure NAT exemptions if required to prevent VPN traffic from being translated.

Tunnel Options:

1. Configure Dead Peer Detection (DPD), Perfect Forward Secrecy (PFS), and other tunnel-specific settings as needed.

8. Deploy Configuration

1. Save the VPN configuration.
2. Navigate to Deploy > Deployment.
3. Select the devices and click Deploy to apply the changes.

9. Verify VPN Connection

1. Navigate to Monitoring > VPN > Site to Site on FMC.
2. Check the status of the VPN tunnel to ensure it is active.

Commands to Verify VPN Status

FTD CLI:

1. Use the command:plaintextCopy codeshow vpn-sessiondb detail l2l
2. Verify the status and details of the VPN sessions.

FMC Monitoring:

1. Monitor the VPN tunnel status and logs in the FMC interface to ensure proper connectivity.

Conclusion

By following these steps, you can successfully configure a site-to-site VPN on Cisco FTD using FMC, ensuring secure communication between two sites over the internet.