https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758172#M1096997 <P>there are different between asa and ftd, asa allow vpn by default,</P><P>ftd need allow acl for vpn.</P> Fri, 20 Jan 2023 11:23:39 GMT MHM Cisco World 2023-01-20T11:23:39Z https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758169#M1096996 <P>Hello all,</P><P>Currently trying to enable our Remote VPN users to route through our primary site and back out for specific subnets. We're using a FTD 2110 running 6.6.5 managed by an FMC running 6.6.5.2</P><P>i added the desired subnets to the split-tunnel ACL and added a few variants of NAT (OUTSIDE VPN subnet to OUTSIDE subnet)</P><P>I've gotten to this to work on our ASA with hairpinning before but not sure how the FTD handles it.</P><P>Thanks!</P> Thu, 19 Jan 2023 22:05:01 GMT https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758169#M1096996 cparkelnp 2023-01-19T22:05:01Z https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758172#M1096997 <P>there are different between asa and ftd, asa allow vpn by default,</P><P>ftd need allow acl for vpn.</P> Fri, 20 Jan 2023 11:23:39 GMT https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758172#M1096997 MHM Cisco World 2023-01-20T11:23:39Z https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758488#M1096999 <P>Hi ,<BR /><BR />Could you please confirm on the following points if you have already configured?<BR /><BR />1- Did you bypass the NAT rules for Remote Access VPN's traffic ? ( NAT Exemption should be there for the source or inside interface)<BR />2- Did you ensure the routing of the traffic ? Is it colliding with any other routes in the table and not taking the precedence?<BR />3- Is your DNS flow complete and configured correctly?<BR />4- For split tunneling, you need to by pass the irrelevant traffic and pass only the intended traffic to the specific internal network via the tunnel.<BR /><BR /></P> <P>Regards.</P> Fri, 20 Jan 2023 07:15:54 GMT https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758488#M1096999 Syed Hassan Shah 2023-01-20T07:15:54Z https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758674#M1097006 <P>Without seeing your configuration it is difficult to pinpoint where the issue is.&nbsp; But a few things to verify you have configured correctly:</P> <UL> <LI>verify that the twice NAT statement is correct, i.e. the source and destination translations are correct, or that the dynamic NAT for the VPN users is correct.</LI> <LI>verify if you need to add an access-list to allow this traffic. on the CLI issue the command <STRONG>show run sysopt</STRONG>&nbsp; If this is disabled (no sysopt connection permit-vpn) then you need to add an access-list allowing this VPN traffic on the outside interface.</LI> </UL> Fri, 20 Jan 2023 12:17:10 GMT https://community.cisco.com/t5/network-security/route-remote-vpn-users-back-out-firewall-for-specific-subnets/m-p/4758674#M1097006 Marius Gunnerud 2023-01-20T12:17:10Z