topic Re: FTD: Access outside interface from inside? in Network Security

FTD: Access outside interface from inside?

Network Diver — Fri, 13 Sep 2024 04:51:24 GMT

Hi,

Is it possible on FTD to access a public IP assigned to outside interface from the inside network? We have the usecase where users are using AnyConnect and want to access the VPN peer from a guest network provided by the firewall. As they are switching often from home office to real office and keep their notebook in standby, AnyConnect keeps running, has cached the IP address of the VPN peer.

On ASA we're using multiple contexts for this. One for AnyConnect and a second one for outbound internet traffic.

Is this possible on FTD without using contexts or separate physical boxes? For branch offices this would require two HA pairs of FTD 1000 series. We've had so many software bugs and feature limitations with multiple contexts on ASA I don't want to have multiple contexts anymore on next generation firewalls.

I've learned that the FTD 3100 series and higher can run FTD as docker containers (multi instance mode), but that's oversized for a branch office internet edge firewall. One box costs about the same as a car.

Thanks in advance,

Bernd

Re: FTD: Access outside interface from inside?

MHM Cisco World — Fri, 13 Sep 2024 05:56:58 GMT

You can simply run webvpn in inside interface'

This make user internal to use anyconnect to access other zone in ftd

MHM

Re: FTD: Access outside interface from inside?

Network Diver — Fri, 13 Sep 2024 06:42:53 GMT

I know. But AnyConnect caches the public IP address of the VPN peer when connecting from outside. If internal DNS entry for VPN peer uses inside address, the AnyConnect daemon or notebook needs to be restarted to resolve to the different IP. That's too inconvenient for our users.

Guest network uses public DNS servers and just does dynamic NAT to a public IP. In the past we used little ASA firewalls for the guest network to be able to provide that functionality until it got replaced with ASA-X and multiple contexts. I hoped that FTD in the meantime is clever enough to allow accessing outside interface IPs from inside. Maybe a NAT rule that maps public IP to inside IP when request comes from inside?

Re: FTD: Access outside interface from inside?

MHM Cisco World — Fri, 13 Sep 2024 06:47:02 GMT

FTD also use hairpin NAT
INSIDE NATing to Public IP when Inside is try to access Outside
if that what you looking for

https://integratingit.wordpress.com/2021/07/11/ftd-nat-reflection/

MHM

Re: FTD: Access outside interface from inside?

Network Diver — Fri, 13 Sep 2024 06:57:38 GMT

Thanks. Have to try if that works to direct traffic from inside network requesting public interface IP to inside interface IP and enable webvpn also on inside interface.

nat (inside,inside) source static Internal-LAN interface destination static asa-outside-ip asa-inside-ip webvpn enable outside enable inside ...

Re: FTD: Access outside interface from inside?

MHM Cisco World — Fri, 13 Sep 2024 07:03:15 GMT

I dont get your requirements

Hairpin will NAT Inside to Outside and hence the internal host can access internal server that have dns public IP in dns.

Why you need webvpn for internal then?

MHM

Re: FTD: Access outside interface from inside?

Network Diver — Fri, 13 Sep 2024 07:12:22 GMT

The guest network does not have access to our internal network. It is just for internet access for guests or for users who want to use AnyConnect instead of wireless 802.1x so they can keep their AnyConnect always running whether they work from home or abroad or in the office.

I'm looking for a solution to provide that functionality without using separate firewalls. Separate interface for guest network and inside network on same firewall.

Re: FTD: Access outside interface from inside?

Aref Alsouqi — Fri, 13 Sep 2024 10:18:25 GMT

Would using AnyConnect Trusted Network Detection be an option?

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.1 - Configure VPN Access [Cisco Secure Client (including AnyConnect)] - Cisco

Re: FTD: Access outside interface from inside?

Network Diver — Tue, 17 Sep 2024 13:23:56 GMT

That would work from corporate office network, but not guest network. I was looking for a solution to provide a guest network that allows AnyConnect to local site without using dedicated firewall boxes or multiple contexts.

Re: FTD: Access outside interface from inside?

Network Diver — Tue, 17 Sep 2024 13:25:14 GMT

I tried that NAT reflection rule. It works for mapping any public IP address to an inside server IP address, but it does not work when using firewall outside/inside interface IP addresses.

Re: FTD: Access outside interface from inside?

Network Diver — Thu, 28 Nov 2024 10:21:17 GMT

Digged a bit deeper into FTD features and looked at the inline interface sets. Would it be possible to create two interfaces for an inline set that connect the public internet form the provider and behind a dedicated FTD for AnyConnect VPN? Are then the public IP address of the VPN device (labeled FTD2a/2b) accessible through the internet edge FTDs?