topic Re: RAVPN for FTD in Network Security

RAVPN for FTD

Azlan.my07 — Tue, 20 Sep 2022 02:19:02 GMT

Hello everyone,

I deployed a Cisco FTD using FDM and enabled VPN access to our internal network. I proceeded step by step, initiating with enabling smart license VPN.

I'm using local identity as a user logon, an internal certificate, split tunneling, and an IP pool assignment, and when I tried to connect to the VPN, it failed with errors "The connection attempt has timed out. Please check your internet connectivity."

For your information, I have a public IP with subnet /28 and I have configured NAT to access the web server using another IP rather than the same IP with VPN, the web server can be accessed without issue.

below is our NAT statement, web server IP 20x.xx4.x2.19 and interface IP for VPN is 20x.xx4.x2.18

nat (outside,inside) source static any any destination static websvr_20x.xx4.x2.19 webserver_10.100.100.2
!
object network IPv4-Private-10.0.0.0-8
nat (inside,outside) static interface

FTD version : 7.0.4

FPR model : 1150

Thank you in advance for your help.

Re: RAVPN for FTD

Sherry Pang — Mon, 17 Oct 2022 07:09:27 GMT

Hi Azlan, could I know which document did you refer to? Please share the link let me know more about what kind of VPN(Remote access VPN or L2L VPN) you are setting.

And please check the network connectivity with 20x.xx4.x2.18.

Re: RAVPN for FTD

Sherry Pang — Mon, 17 Oct 2022 08:04:32 GMT

Sorry, I noted that you are using RAVPN, please share the configuration guide you are referring to. You mentioned web server, is it used for VPN?

Re: RAVPN for FTD

Marvin Rhoads — Mon, 17 Oct 2022 16:56:21 GMT

First, your NAT for 10.0.0.0-8 is incorrect. It should be dynamic, not static. As a static NAT, it may be taking up a connection on port 443 which would "break" the VPN in the way you are seeing.

Fix that and then, if you browse to the FTD's outside address using https, do you see the VPN login portal page?

Re: RAVPN for FTD

Azlan.my07 — Tue, 18 Oct 2022 01:51:01 GMT

Hi Sherry,

I'm referring this guide > https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215532-configure-remote-access-vpn-on-ftd-manag.html

Web server actually from our user access to the internal server, not for VPN.

Re: RAVPN for FTD

Azlan.my07 — Tue, 18 Oct 2022 01:53:15 GMT

Hi Marvin,

Thanks for your reply. Do you mean change type from Static to Dynamic? or source IP change to any? below is screenshot our outgoing NAT.

Thanks

Re: RAVPN for FTD

Marvin Rhoads — Tue, 18 Oct 2022 07:05:25 GMT

@Azlan.my07 change the type of NAT to Dynamic and deploy.

Re: RAVPN for FTD

Azlan.my07 — Wed, 19 Oct 2022 14:38:19 GMT

@Marvin Rhoads Thank you so much, Marvin, it now works after changing to Dynamic. Thank you for helping, I'm glad learn something today.

Re: RAVPN for FTD

Marvin Rhoads — Wed, 19 Oct 2022 14:48:47 GMT

You're welcome.

As a general rule, static NAT is only for 1-1 mapping of an inside address to an outside address.