topic Re: FTD Route Based VPN Question in Network Security

FTD Route Based VPN Question

N3om — Thu, 16 Apr 2026 08:30:57 GMT

Hi
Can I add a Nat exemption rule after I have created a Route based VPN on FTD or do I need to select it when configuring the VPN ??

Thanks

Re: FTD Route Based VPN Question

Rob Ingram — Thu, 16 Apr 2026 08:34:25 GMT

@N3om you can create the NAT exemption rule(s) after the VPN topology has been configured no problem.

Re: FTD Route Based VPN Question

N3om — Thu, 16 Apr 2026 08:44:43 GMT

@Rob Ingram Ok thanks does the below look like a valid Nat exemption ??

111 (STAFF_INTERNET) to (any) source static STAFF-Network STAFF-Network destination static any -ipv4 any-ipv4

Re: FTD Route Based VPN Question

Rob Ingram — Thu, 16 Apr 2026 08:47:01 GMT

@N3om yes, but I would recommend not to use "any" as the destination interface and ideally not the destination networks either, be specific.

Re: FTD Route Based VPN Question

N3om — Thu, 16 Apr 2026 08:51:04 GMT

The destination Interface is a VTI which I dont think is supported in the NAT rule and the any Network is for Internet so cant do anything with that.?

Re: FTD Route Based VPN Question

Rob Ingram — Thu, 16 Apr 2026 08:56:35 GMT

@N3om ok in that case, yes you are correct you must use "any" as the interface; as you cannot explicitly specify interface names when using a VTI. In which case your NAT rule sohuld work and would just route traffic from "STAFF-Network" IP addresses over the VTI to any destination. I assume the upstream device would handle the NAT.

Re: FTD Route Based VPN Question

Marvin Rhoads — Fri, 17 Apr 2026 13:55:37 GMT

@N3om We usually do not need to do NAT exemption on VTI-based S2S VPN since the "normal" NAT rules don't apply to traffic to/from VTI interfaces.