CISCO 1010 FTD RAVPN Inside network no internet

ivhanez12 · ‎08-17-2023

Hi all,

We recently acquired a CISCO 1010 FTD running version 7.2.4.1-43 to replace our current ASA 5505.

The inside interface is configured as switchport trunk mode and associated with 5 different VLANs, everything is working fine, all devices connected to the switchport trunk interface in different VLANs are able to connect to the internet.

The issue started after configuring a Remote Access VPN, when the inside network is added in the accepted network under NAT exempt, devices to this network are not able to open any website. I am able to ping the url, and any external IP but browsing is not working while VPN client using Anyconnect can connect, browse internet and also can reach any device on the network that is specified in the accepted network under NAT exempt.

Hoping anyone can help.

Thank you,

Ivhanez12

Marvin Rhoads · ‎08-17-2023

The NAT exempt rule should only apply for inside networks to the RA VPN address pool.

Can you share a screenshot the NAT rule you added? (or "show running-config nat" output from the cli)

ivhanez1212 · ‎08-17-2023

Hi Marvin,

Thank you for your advice, here is the running NAT config:

firepower# show running-config nat
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (inside,outside) source dynamic InsideNetwork interface
nat (wifi,outside) source static WiFiNetwork interface
nat (insideremote,outside) source static InsideRemoteNetwork interface
nat (dmz,outside) source static DMZNETWORK interface
nat (dvr,outside) source static DVRrange interface service _|NatOrigSvc_97c7413d-3785-11ee-80b2-f387e7d515a6 _|NatMappedSvc_97c7413d-3785-11ee-80b2-f387e7d515a6
nat (outside,outside) source dynamic VPN_IP_RANGE interface
firepower#

I also Attached the VPN profile.

I highlighted in RED the NAT exempt config wherein any network that I add in there are not able to browse any website.

connection is timing out.

Marvin Rhoads · ‎08-18-2023

Does FDM allow you to include your multiple inside interfaces? If not, you might just want to built NAT rules manually for each of the different protect VLANs using the NAT configuration vs. doing it under the RA VPN wizard. The wizards sometimes have limitations for more complex use cases.

ivhanez1212 · ‎08-18-2023

Hi Marvin,

is it in the NAT exempt inside network section in the wizard? Yes it does allow me, however when I add them, they will not be able to browse any website,. but If I will not add them the VPN client will not be able to reach them.

ivhanez1212 · ‎08-24-2023

Just an update on this issue, I remove all inside interfaces and re- add it back again the re-deploy the changes. At first it gives me a deployment failed message then there is an option for full deployment. After selecting the full deployment, the VPN are now working as expected. all devices connected to VLans in the inside interface can now browse any site.

Thank You!