topic Re: Cisco FMC/FTD - RAVPN - Need to route specific IPs via RAVPN in Network Security

Cisco FMC/FTD - RAVPN - Need to route specific IPs via RAVPN

shabeeb — Sat, 27 Jun 2020 17:51:58 GMT

Hi,

Once im connected to my RAVPN, I want to ensure traffic to a specific Public IP flows through my RAVPN tunnel at all times. Any advice?

TIA,

Shabeeb

Re: Cisco FMC/FTD - RAVPN - Need to route specific IPs via RAVPN

Rob Ingram — Sat, 27 Jun 2020 17:56:22 GMT

Hi,

How is your RAVPN configured?

if you are using full tunnel then all ip addresses will be tunnelled back to the FTD. If using split tunnel, then you should include the public IP address in the tunnel to ensure it is tunnelled back.

If the public IP address is actually hosted in the internet, then you will need a Nat rule from source outside to destination outside and Nat behind the outside interface.

HTH

Re: Cisco FMC/FTD - RAVPN - Need to route specific IPs via RAVPN

shabeeb — Sat, 27 Jun 2020 19:57:34 GMT

Hi Rob,

Im using split tunneling & these IPs are part of the permitted ACL group.

As you mentioned, these IPs are actually hosted on the internet. Let me do the NAT and check.

TIA,
Shabeeb

Re: Cisco FMC/FTD - RAVPN - Need to route specific IPs via RAVPN

Rob Ingram — Sat, 27 Jun 2020 20:19:50 GMT

Also, double check you’ve got a firewall rule permitting traffic to the internet

Re: Cisco FMC/FTD - RAVPN - Need to route specific IPs via RAVPN

shabeeb — Thu, 02 Jul 2020 06:22:33 GMT

Hi Rob,

Unfortunately its not working. I can see the traffic is being routed via the firewall successfully, but the service is not working.

To give you a little insight into what im trying to achieve - (attached a small drawing of the main components being used, just something i did in paint)

We have Microsoft SFB Federation services enabled between sip.local.com & sip.remote.com
Everything (including IM, Calls, Content sharing) works between My Local LAN & Remote Site
Everything (including IM, Calls, Content sharing) works between external users & Remote Site (i.e. since the SFB services are published outside, anyone in the internet can login to SFB & work)
Only IM works between My VPN Users & Remote Site
- Calls & Content sharing fails

My observations -

Remote site have enabled federation services to sip.local.com

This URL is NATted to our Edge DMZ
This Edge DMZ then has all the relevant routes to my local network & my vpn network
Hence, as far as local SFB Edge is concerned, it has successful routes to both (local & vpn) network

I tried to telnet sip.remote.com on port 5061 - the response is as below

My Local LAN - it works fine
Open internet from home (without VPN) - it works fine
VPN connected - it does not work

So as far as Remote Site is concerned, they are receiving the traffic successfully

i.e. if it comes from my Local Subnet, everything works fine.
but if it comes from my VPN Subnet, the routing issues comes into play
- Im suspecting there is no reverse route from Remote Site to my VPN subnet

Is my understanding correct???

TIA,

Shabeeb

Re: Cisco FMC/FTD - RAVPN - Need to route specific IPs via RAVPN

Rob Ingram — Thu, 02 Jul 2020 06:33:51 GMT

Is the traffic towards the SIP service NATTED behind the outside interface of the FW?
If so, then the RAVPN networks should appear from the same source IP address. If traffic it is routed, then you would need to ensure that the other end has a route back.

Run packet-tracer from the CLI and provide the output