topic Re: Firepower 1010 Unable to Connect to LAN Devices in Network Security

Firepower 1010 Unable to Connect to LAN Devices

mlandavazo — Wed, 17 Nov 2021 20:50:55 GMT

I've got a Firepower 1010 set up (FTD via FDM) as a remote VPN device and I am unable to see devices on the LAN when I connect to the VPN.

The device is connected to the LAN via the Management interface, where it is automatically assigned an IP address on the LAN by the management network. What do I need to do to see my LAN devices while connected to VPN>

Re: Firepower 1010 Unable to Connect to LAN Devices

Rob Ingram — Wed, 17 Nov 2021 20:55:38 GMT

@mlandavazo

You need to configure an Access Control rule from source "outside" to destination "inside" permitting traffic, you don't have that currently.

You also need a NAT exemption rule between the inside network and the outside (RAVPN) network that does not translate the traffic.

Re: Firepower 1010 Unable to Connect to LAN Devices

mlandavazo — Wed, 17 Nov 2021 21:08:09 GMT

@Rob Ingram Thank you, I had an Access Control rule like that in place but was still not able to connect, so NAT is most likely the issue. Is the attached rule what I should implement?

Re: Firepower 1010 Unable to Connect to LAN Devices

mlandavazo — Wed, 17 Nov 2021 21:14:42 GMT

@Rob Ingram I found some info on NAT Exempt rules and made the attached changes.

Re: Firepower 1010 Unable to Connect to LAN Devices

Rob Ingram — Wed, 17 Nov 2021 21:24:40 GMT

@mlandavazo I'm not sure what your intention is by using the diagnostic interface? The Diagnostic interface only allows management traffic, and does not allow through traffic.

Connect to a data interface, assign an IP address and ensure this is a member of the "inside_zone" zone, write your NAT and ACP rules referring to the "inside_zone".

Re: Firepower 1010 Unable to Connect to LAN Devices

mlandavazo — Wed, 17 Nov 2021 21:38:42 GMT

@Rob Ingram I wasn't aware that the management interface could not also be used to allow through traffic. I'll connect to a data interface and see what I can do.

Do you foresee any issues if I create a LAN network object and assign it the following IP range that our LAN uses? 192.168.0.0/16

Re: Firepower 1010 Unable to Connect to LAN Devices

mlandavazo — Wed, 17 Nov 2021 22:44:01 GMT

@Rob Ingram I removed an ethernet port from the bridge group, connected it to our LAN, and gave it an IP address. From here I can just create the rules you mentioned?

Re: Firepower 1010 Unable to Connect to LAN Devices

mlandavazo — Wed, 17 Nov 2021 23:59:15 GMT

@Rob Ingram Still cannot ping any local devices. I've attached my NAT rule, firewall access rule, and the network object I created for our LAN IP range. Attached pertinent RA VPN rules as well.