topic Re: FirePower Routing in Network Security

FirePower Routing

Shultz777 — Wed, 15 Jun 2022 17:15:20 GMT

I have a lab were I am trying to get VPN AnyConnect traffic to access a server on vlan 10 of the inside network. But it wont reach the server, I can access everything on Vlan 1. The server can ping and traceroute to the VPN client, VPN client cannot ping and tracert fails at first hop.

I have sub interface on Firepower for VLAN's on inside interface from what I understand that creates a trunk port for Firepower devices.

I have Nat rules in place and added Vlan address to ACL for VPN traffic.

IP schema:

VPN - 10.10.101.0/24 (Vlan 1 can access / Vlan 10 can reach)

VLAN10 - 192.168.10.0/24 (All Vlans can reach on internal network, VPN cannot reach)

VLAN1 - 192.168.1.0/24 (VPN can access both ways)

Not sure what I am missing??

Re: FirePower Routing

balaji.bandi — Wed, 15 Jun 2022 17:17:42 GMT

wht you see in the Logs, when the VPN user try to access server, what you see in the Logs ?

Just thinking, you may not have ACL in place from VPN IP address to Server IP (this just guess)

Re: FirePower Routing

MHM Cisco World — Wed, 15 Jun 2022 17:20:50 GMT

In fw you need

Static route toward the interface connect to vlan 10

In other side you need static route of anyconnect pool to interface of FW

Re: FirePower Routing

Mohammed al Baqari — Wed, 15 Jun 2022 18:01:19 GMT

Hi,

Have you created nonat rules in firepower for vlan 10 to reach the vpn pool
without natting.? You need to create twice nat to ensure source and
destination are not changed with connecting from vpn to vlan 10 (don't use
no-proxy or routing options)

***** please remember to rate useful posts

Re: FirePower Routing

Shultz777 — Wed, 15 Jun 2022 18:16:28 GMT

I don't see anything in the logs on firepower or Anyconnect about failed connections. I added the VLan address to same ACL that connects Vlan 1 to VPN still no connection.