topic Re: Route Offloading on FTD for IPSEC VPN in Network Security

Route Offloading on FTD for IPSEC VPN

titusroz03 — Wed, 08 Jan 2025 08:32:40 GMT

We have IPSEC VPN setup(HUB to Spoke), were clients access internet through VPN from Site to HUB(Data centre)

I have a requirement of offloading a certain internet destinations towards internet instead of injecting through VPN tunnel, to offload it directly through local internet.

what are the possibilities to achieve this on cisco FTD 1120

Re: Route Offloading on FTD for IPSEC VPN

Rob Ingram — Wed, 08 Jan 2025 08:36:57 GMT

@titusroz03 FTD when managed via FMC has basic SDWAN capabilities, you can setup Direct Internet Access from the spoke sites to route some internet traffic direct rather than through the VPN tunnel. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/usecase/b_wan-deployment/m_direct-internet-access-usecase.html

Re: Route Offloading on FTD for IPSEC VPN

MHM Cisco World — Wed, 08 Jan 2025 09:06:55 GMT

Sure you can, what is vpn you have

If it VTI

Then only add new static route in ftd point to Wan interface,

that all

MHM

Re: Route Offloading on FTD for IPSEC VPN

MHM Cisco World — Wed, 08 Jan 2025 09:07:25 GMT

Note sure you need NATing.

Thanks

MHM

Re: Route Offloading on FTD for IPSEC VPN

titusroz03 — Wed, 08 Jan 2025 09:52:30 GMT

Which one will be easier to achieve this, policy or route based..?

Re: Route Offloading on FTD for IPSEC VPN

MHM Cisco World — Wed, 08 Jan 2025 09:56:44 GMT

policy based since you have hub and spoke and you want to direct traffic for specific website via WAN directly instead of forwarding traffic via hub

MHM

Re: Route Offloading on FTD for IPSEC VPN

Rob Ingram — Wed, 08 Jan 2025 10:39:26 GMT

l@titusroz03 you said you wanted to " offloading a certain internet destinations towards internet instead of injecting through VPN tunnel" - using the SDWAN functionality you can route some websites/applications (i.e. Teams, Webex, Outlook etc) out the local internet, whilst routing the rest of the traffic over the VPN to the DC.

If you use a traditional Policy Based VPN you need to explictly configure the crypto ACL on which traffic to route over the VPN, anything that is not explictly encrypted would be routed out locally.

Re: Route Offloading on FTD for IPSEC VPN

d3an.chen — Wed, 08 Jan 2025 15:10:00 GMT

Hi,

From what I know is that usually the Cisco device use ACL to define the interested network traffic for VPN tunnel. So I think you could remove the destination that you want to offload from that ACL, then it will stop from taking IPSEC tunnel.

Thanks

Re: Route Offloading on FTD for IPSEC VPN

titusroz03 — Wed, 05 Feb 2025 11:43:02 GMT

@d3an.chen @Rob Ingram @MHM Cisco World Apologies for leaving this conversation idle for long period, I want to start this again. So our last conclusion was to remove the traffic from crypto ACL to get offloaded and leave others for VPN tunnel. On this point my requirement is just to offload some internet destinations and leave all the other traffic (including other internet) to get through tunnel as encrypted. How can we achieve this in cisco FTD..? My understanding is Deny those destinations in Crypto ACL to get them offloaded..? Correct me if this is wrong and also do I need additional configs for those offloaded destinations like static routing..?

And another question is if the same scenario for Route based VTI, how can I achieve..? Should I point the networks to local offload through static routing to WAN ip..?

Re: Route Offloading on FTD for IPSEC VPN

Rob Ingram — Wed, 05 Feb 2025 12:37:03 GMT

@titusroz03 I've not tried it on the FTD at least (only on an ASA) but when configuring the protected networks, select the "Access List (Extended)" in that ACL deny the traffic you don't wish to be encrypted over the VPN and then permit any.

If you use a route based VPN then configure specific routes for the traffic you don't wish to be routed over the VTI via a different next hop.

Re: Route Offloading on FTD for IPSEC VPN

MHM Cisco World — Wed, 05 Feb 2025 19:02:04 GMT

sorry I will be busy until Sep.

hope other help you

Goodluck

MHM

Re: Route Offloading on FTD for IPSEC VPN

titusroz03 — Fri, 07 Feb 2025 05:05:30 GMT

My requirement along with this local offloading is one of our internal coder Device(192.168.1.7) should be Natted to public IP in bidirectional way such that it can access internet and it can be accessed from internet.

Below are the plans to achieve these two:

If Route based VPN:

configure specific routes for the traffic you don't wish to be routed over the VTI via WAN Ip. And add a bidirectional NAT for the internal coder device and PAT alone for the external destinations which need to be offloaded.

If Policy based VPN:

In Encrypted ACL deny the traffic you don't wish to be encrypted over the VPN and then permit any. Along with this configure the same NAT configs as above.

Could you help me to confirm if my above plan is correct and will work. Correct me if any misses or changes..?