https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4108398#M1071372 <P>Assuming the "normally routed" subnets also need to transit the VPN to reach the remote site, you would require Policy-based routing (PBR). Normal routing is based on the destination address. You need to add the source address in the criteria.</P> <P>Here's a decent guide that steps you through how to do it:</P> <P><A href="https://www.slideshare.net/redouanemeddane/policybased-routing-using-flexconfig-firepower-threat-defense" target="_blank">https://www.slideshare.net/redouanemeddane/policybased-routing-using-flexconfig-firepower-threat-defense</A></P> <P>(The Cisco configuration guide is a bit weak in this area.)</P> Wed, 24 Jun 2020 01:37:39 GMT Marvin Rhoads 2020-06-24T01:37:39Z https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4108396#M1071371 <P>What needs to happen to route all internet traffic through a site to site tunnel with the exception of a couple of subnets that should route normally? This is utilizing the Firepower 4100 platform.&nbsp;</P> Wed, 24 Jun 2020 01:30:54 GMT https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4108396#M1071371 Scott_22 2020-06-24T01:30:54Z https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4108398#M1071372 <P>Assuming the "normally routed" subnets also need to transit the VPN to reach the remote site, you would require Policy-based routing (PBR). Normal routing is based on the destination address. You need to add the source address in the criteria.</P> <P>Here's a decent guide that steps you through how to do it:</P> <P><A href="https://www.slideshare.net/redouanemeddane/policybased-routing-using-flexconfig-firepower-threat-defense" target="_blank">https://www.slideshare.net/redouanemeddane/policybased-routing-using-flexconfig-firepower-threat-defense</A></P> <P>(The Cisco configuration guide is a bit weak in this area.)</P> Wed, 24 Jun 2020 01:37:39 GMT https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4108398#M1071372 Marvin Rhoads 2020-06-24T01:37:39Z https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4108679#M1071394 <P>This is perfect! If I'm using this for VPN traffic, is the route-map still assigned to the outside interface used to establish the tunnel? Also, is a 2nd rule needed to route all other traffic normally, or does a single rule suffice?&nbsp;</P> Wed, 24 Jun 2020 12:24:54 GMT https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4108679#M1071394 Scott_22 2020-06-24T12:24:54Z https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4109384#M1071424 <P>After discussing this with TAC, it was determined that the best method is as follows:&nbsp;</P><P>&nbsp;</P><P>Create an extended ACL with the following two entries:&nbsp;</P><P>&nbsp;</P><P>1. Deny - Denies traffic that should be routed from the source to destination traffic through normal means</P><P>2. Allow - Allows all traffic that is not denied access to traverse the tunnel</P><P>&nbsp;</P><P>This ACL is then applied to the Site to Site tunnel - think crypto map ACL in ASA code.</P><P>&nbsp;</P><P>We are working to deploy this configuration now and I will post my results.&nbsp;</P> Thu, 25 Jun 2020 16:00:36 GMT https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4109384#M1071424 Scott_22 2020-06-25T16:00:36Z https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4125696#M1072320 <P>how you can make this ACL on FTD</P> Sun, 26 Jul 2020 13:08:40 GMT https://community.cisco.com/t5/network-security/route-internet-through-vpn-ftd/m-p/4125696#M1072320 mohamed_farok 2020-07-26T13:08:40Z