Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
3
Replies

Secure Firewall to Umbrella SIG - VPN Tunnel

Marc0
Level 1
Level 1

‎03-30-2023 06:20 AM

Hi
I am in the process of moving our web filtering away from a local web proxy to Umbrella, and I'm at the stage where I want my server estate and 3rd party devices to use Umbrella but via a tunnel rather than install Anyconnect Umbrella module.

I am able to establish a VPN tunnel between my FTD2130 and Umbrella using a policy based map, extended ACL and NAT Before (static) settings. This works fine but I can only seem to ever get one device working at anytime, over the tunnel.

Im on 7.0.5 code FTD2130 

Has anyone got some thoughts on this?

Also keen to hear if anyone is doing a similar approach and what setup you have gone with.

Thanks in advance

Labels:
0 Helpful
3 Replies 3

Marc0
Level 1
Level 1

‎04-03-2023 01:58 PM

Anyone out there who can help, please?

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to Marc0

‎04-04-2023 12:23 AM

Hi,
I don't have a direct answer to what you're trying to accomplish, but I have an answer to how you can accomplish it.

If you don't want to use the roaming client, you can simply point your RAVPN users to:

a) internal DNS server that has Umbrella DNS Servers configured as forwarders.

b) Umbrella VA as DNS server; the VA will decide which DNS requests are sent to the local DNS server (internal requests) and which requests are send to the cloud.

 

The above scenarios work for both split-tunnel and full-tunnel RAVPN environments. As long as you push DNS servers to RAVPN clients using your group-policy, all DNS traffic will be (by default) sent through the RAVPN tunnel.

One other option would be to configure your FTD to do DNS redirection to Umbrella, but personally I haven't tested/used it.

https://docs.umbrella.com/hardware-integrations/docs/cisco-secure-firewall

 

BR,

Octavian

0 Helpful

Marc0
Level 1
Level 1

‎05-04-2023 12:02 PM

Hi

We have found the resolution. After speaking with TAC, they confirmed that Cisco Umbrella only supports site-2-site VPN tunnel with VTI and not PBR

So with us being on FMC/FTD code 7.0.5 we were able to build a VTI s2s tunnel using  flex-config to set and push route-map policy. 

It was a hard struggle but we got there in the end 

0 Helpful
Customers Also Viewed These Support Documents