cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


362
Views
0
Helpful
7
Replies

Secondary outside/wan IP address or Nat to itself on FTD via FMC

Hi all,

 

I have an FTD 6.3 on Firepower 4110.  It is configured in routed mode with "the usual" configuration: outside, inside, DMZ, and serverfarm interfaces/zones with traffic allowed out but not in. I also have AnyConnect services for remote access VPN services.

The Main Difference is that in the outside interface I have 10.x.x.1 private ip address.  Firepower direcly connected  Cisco 6509 via point to point connection. Provider reserved 82.y.y.0/29 pubic IP addresses and via static routing send them to 10.x.x1. 

 

I configured static, dynamic etc NAT's for our needs. They work well.

 

My main difficulty with Anyconnect VPN. From Provider network I can connect to 10.x.x1 private IP via Anyconnect. there is no problem with this. But from the Internet, I can't connect to VPN. because there is no public IP address on the outside interface. 

Could you help me to correctly configure AnyVPN nat rule and Access policy in this situation?

 

Everyone's tags (4)
7 REPLIES 7
VIP Advocate

Re: Secondary outside/wan IP address or Nat to itself on FTD via FMC

You would need to configure port forwarding on the 6509.  Easiest would be to have a dedicated public IP for AnyConnect, but if you cannot do that, then forware ports tcp/443 and udp/443 to 10.x.x.1.

--
Please remember to rate and select a correct answer

Re: Secondary outside/wan IP address or Nat to itself on FTD via FMC

Thank you for your reply. If I will assign the public IP address directly to FTD outside interface it means that the other side of this link on 6509 should be public IP address also. But it's contrary to the company policy. Without ISG there is not would be public IP addresses on interfaces on other devices.
Highlighted
Beginner

Re: Secondary outside/wan IP address or Nat to itself on FTD via FMC

Is feasible for you to change your design and assign the public subnet directly to FTD's outside interface?

In this way you should be able to use remote access VPN without any kind of problem.

Re: Secondary outside/wan IP address or Nat to itself on FTD via FMC

Dear Andrea Tornagi, Thank you for your reply!
If I will assign the public IP address directly to FTD outside interface it means that the other side of this link on 6509 should be public IP address also. But it's contrary to the company policy. Without ISG there is not would be public IP addresses on interfaces on other devices.
VIP Advocate

Re: Secondary outside/wan IP address or Nat to itself on FTD via FMC

You would not necessarily need the public IP on the 6509, you could just trunk a VLAN straight through to the ISP / next hop router.  another option would be to assign a private IP to the ASA, and then rout that to a VRF on the 6509 that is just for internet and place the public IP and the newly created private IP in that VRF.  Then route all traffic to the ASA and have a default route pointing out the newly created interface IP.

--
Please remember to rate and select a correct answer
Beginner

Re: Secondary outside/wan IP address or Nat to itself on FTD via FMC

You could use a dedicated VLAN between your ISP and your ASA and remove the layer 3 configuration for public connectivity from your 6509.
In this way you can use your switched network for transport ISP connectivity without configuring any public ip address on 6509.
VIP Advocate

Re: Secondary outside/wan IP address or Nat to itself on FTD via FMC

Isn't that what I already said? 

--
Please remember to rate and select a correct answer