Solved: ASA Heavy Crypto Maps to FMC managed FTD devices

keithcclark71 · ‎06-10-2022

I have upcoming project where remote user VPN's connect to a tail site A and also can access multiple other tail sites (B, C, C ) using Outside Crypto Map off of tail site A. I believe this is referred to as hair pinning over VPN. I am very stressed that I sold a migration project to move off legacy ASA over to FMC managed FTD devices as I never considered how the crypto maps would work in FTD. Please tell me this is doable and common.

Rob Ingram · ‎06-10-2022

@keithcclark71 yes, this works the same way as the ASA does. Ensure the crypto map ACL (on each end) defines the anyconnect VPN pool network as interesting traffic. Configure NAT exemption rules to ensure traffic is not unintentially translated. And then ensure the ACP permits the communication between the networks.

View solution in original post

Rob Ingram · ‎06-10-2022

@keithcclark71 yes, this works the same way as the ASA does. Ensure the crypto map ACL (on each end) defines the anyconnect VPN pool network as interesting traffic. Configure NAT exemption rules to ensure traffic is not unintentially translated. And then ensure the ACP permits the communication between the networks.

keithcclark71 · ‎06-10-2022

Thanks Rob I am hoping to mesh all 4 FTD's with IPSEC tunnels and only allow Anconnect users from the tail sites to hairpin off their access firewall to another designated firewall at the main office