topic Firepower 1010 cannot RDP in Network Security

Firepower 1010 cannot RDP

jjevans1 — Sat, 26 Nov 2022 18:08:57 GMT

Hello All,

I have setup VPN according to these instructions:

https://www.petenetlive.com/KB/Article/0001682

I have the default rule (Inside Zone Any Any to Outside Zone Any Any = Trust)

I have a just in case rule (Inside Zone Any Any to Inside Zone Any Any = Trust)

When I VPN in successfully and try to RDP to any PC’s on the local LAN (192.168.1.0/24) I cannot connect nor can I ping any of the internal IP addresses.

My VPN address is 192.168.1.250/24

What can I be missing?

Thank you for any insight,

Re: Firepower 1010 cannot RDP

Rob Ingram — Sat, 26 Nov 2022 18:14:37 GMT

@jjevans1 you probably need a NAT exemption rule to ensure your traffic from the internal network the RAVPN network is not unintentially translated. Example:

If that is not the case, please run packet-tracer from the CLI to simulate the traffic flow, provide the output for review.

Re: Firepower 1010 cannot RDP

jjevans1 — Sun, 27 Nov 2022 14:10:03 GMT

Thank you for your example it was very helpful. This issue I had was it will only accept a network under: IPv4 Split Tunneling Networks. I tried to make a range but it would only allow me to add a network not a range. I was hoping that would work since my VPN range is just a couple of IP’s.

VPN Pool range object: 192.168.1.250-.254

VPN Pool to: 192.168.1.250 - 192.168.1.254

Created NAT Exception Rule for VPN Pool according to your example.

I can ping the inside PC when connected to VPN but not RDP to that PC. I can RDP internally just not through VPN.

I ran packet tracer and it looks like everything it is allowed?? Output is attached.

packet-tracer input inside icmp 192.168.1.250 8 0 192.168.1.5

192.168.1.250 (VPN Pool)

192.168.1.5 (PC on Eth1/2 VLAN 1)

Anything else I can try or is there something I am not doing correctly?

Thank you for your insight,

Re: Firepower 1010 cannot RDP

Rob Ingram — Sun, 27 Nov 2022 14:07:15 GMT

@jjevans1 if you notice the packet-tracer output confirms the input and output interfaces are both "inside", which is technically accurate (because they overlap) but not what you want. Don't use the same network for the VPN pool, use another separate network that isn't the inside network, i.e. 192.168.2.0/24. You can then create a network object as 192.168.1.0/24 that represents the inside network and reference this in the split-tunnel configuration. Use these 2 unique networks in the NAT exemption rules.

Re: Firepower 1010 cannot RDP

MHM Cisco World — Sun, 27 Nov 2022 14:13:11 GMT

192.168.1.250 (VPN Pool)

192.168.1.5 (PC on Eth1/2 VLAN 1)
this not work at all,
the VPN pool must have different subnet than Inside hosts,
the VPN Pool IP will add to route table as connect direct via OUT not IN interface.

this is your issue I think

Re: Firepower 1010 cannot RDP

jjevans1 — Sun, 27 Nov 2022 15:27:12 GMT

Thank you all for your insight it is really appreciated. I have done the following:

Created New VPN Pool Network: 192.168.2.0/24 – Deleted the old

Added both Internal and VPN Pool to Group Policy and NAT Exempt.

Created two NAT exception rules: one for Internal Network and one for VPN Pool.

Ran packet tracer: packet-tracer input inside icmp 192.168.2.1 8 0 192.168.1.5

VPN Client = 192.168.2.1/24 Gateway of: 192.168.2.2

192.168.1.5 (PC on Eth1/2 VLAN 1)

Packet tracer shows allowed?

I cannot ping PC on inside. I feel like everything is in order and I am close but just missing one thing? I included snapshots to assist.

Re: Firepower 1010 cannot RDP

Rob Ingram — Sun, 27 Nov 2022 15:33:18 GMT

@jjevans1 the AnyConnect VPN network is on the OUTSIDE, not inside. So your packet-tracer is incorrect, the source interface would be OUTSIDE if the source is 192.168.2.0/24

Your split-tunnel is incorrect, you need to allow the internal network (192.168.1.0/24)

Re: Firepower 1010 cannot RDP

MHM Cisco World — Sun, 27 Nov 2022 15:35:59 GMT

waiting your new packet-tracer after you change the interface from inside to outside,
share packet-tracer here.

Re: Firepower 1010 cannot RDP

jjevans1 — Sun, 27 Nov 2022 15:56:03 GMT

Thank you all,

Changed the Split Tunneling to Allow. Nice catch! Different then on the PeteNetLive example.

Ran new packet trace which is attached.

It looks like the packet is dropped by the default rule on Phase 4. So I think I have to create an Access Control Rule for the VPN Traffic allowing ICMP and RDP???

I really appreciate your patience and insight.

Re: Firepower 1010 cannot RDP

MHM Cisco World — Sun, 27 Nov 2022 15:58:45 GMT

No need any ACL,
now use anyconnect user and ping inside and access RDP, all I see is OK now.
try and share result.

Re: Firepower 1010 cannot RDP

Rob Ingram — Sun, 27 Nov 2022 16:01:27 GMT

@jjevans1 your Access Control Policy is also incorrect, you don't have a rule from outside to inside.

You need to permit from outside (192.168.2.0/24) to inside (192.168.1.0/24) aswell as the rule from inside (192.168.1.0/24 to outside (192.168.2.0/24).

@MHM Cisco World you do need Access Control rules on FTD, VPN traffic is not permitted as default unlike the ASA.

Re: Firepower 1010 cannot RDP

MHM Cisco World — Sun, 27 Nov 2022 16:02:33 GMT

thanks

Re: Firepower 1010 cannot RDP

jjevans1 — Sun, 27 Nov 2022 16:05:25 GMT

AnyConnect User: 192.168.2.1

Cannot ping PC on inside: 192.168.1.5 (PC) or 192.168.1.1 (Inside interface VLAN 1)

Re: Firepower 1010 cannot RDP

jjevans1 — Sun, 27 Nov 2022 16:24:10 GMT

Created two new Access Rules: Allow VPN IN: Outside to Inside and Allow VPN Out: Inside to Outside.

Looks like ICMP was dropped in Phase 8 due to WEBVPN SVC in packet trace

Re: Firepower 1010 cannot RDP

Rob Ingram — Sun, 27 Nov 2022 16:26:51 GMT

@jjevans1 are you actually connected to the VPN on 192.168.2.1? If so use an IP address in the VPN pool that is not in use and try packet-tracer again - "packet-tracer input outside icmp 192.168.2.22 8 0 192.168.1.5" or just generate real traffic.

Re: Firepower 1010 cannot RDP

MHM Cisco World — Sun, 27 Nov 2022 16:29:31 GMT

totally right since your packet reach phase 8 then there is no issue except
in packet-tracer you must not use anyconnect active user IP
so as @Rob Ingram mention change IP or use real anyconnect

Re: Firepower 1010 cannot RDP

jjevans1 — Sun, 27 Nov 2022 16:39:55 GMT

Attached is new packet tracer from 192.168.2.22. I have a test machine that is connected to the VPN. It’s IP address is: 192.168.2.2/24 and it not able to ping 192.168.1.5 (PC)

Re: Firepower 1010 cannot RDP

Rob Ingram — Sun, 27 Nov 2022 16:41:39 GMT

@jjevans1 packet-tracer confirms it should now work, is there a local firewall on the PC blocking the ping?

Re: Firepower 1010 cannot RDP

jjevans1 — Sun, 27 Nov 2022 17:04:00 GMT

I rebooted the inside PC. There was some network connection conflict with all the changes I made in the FDM on that PC. I am now able to ping and RDP to is successfully. Your expertise really makes this community a great place. Thank you for all your insight. I have really learned a lot with your assistance. Thank you so much!