Solved: Re: Cisco Firepower Anyconnect failuer

saids3 · ‎03-09-2023

Anyconnect is not able to connect to the server error!!

Firewall in BVI mode -

Sheraz.Salim · ‎03-16-2023

The nat rule of anyconnect is wrong. you need to exempt the vpn pool and the local subnet in order to reach the resource behind the Firewall. the rule you have it wont all you to connect the vpn AC behind the firewall.

your nat rule should be in this order. I am writing the ASA code as I dont have FTD so you can work it around.

nat(inside,outside) source static local-network local-network destin static vpn-pool vpn-pool no proxy arp route-lookup.

please do not forget to rate.

View solution in original post

Karsten Iwen · ‎03-09-2023

Your failure description is quite vague ...

But at least you have to make sure that the NAT-exemption rule is above the general internet rule. And I would configure this in the same logic as the "normal" NAT rule: From "any" to "outside".

saids3 · ‎03-09-2023

I'm sorry for the lack of information!

I'm trying to VPN my office from ouside network like a cafe or any other source wifi! I'm not able to get this right!!

saids3 · ‎03-09-2023

@Karsten Iwen @Sheraz.Salim @Rob Ingram This is what happened when I shift anyconnect nat to the top -

1. I can connect through anyconnect working perfectly but the second nat will stop working (OPEN-DSM).

2. I can't ping my inside network like 10.206.167.111

Sheraz.Salim · ‎03-16-2023

The nat rule of anyconnect is wrong. you need to exempt the vpn pool and the local subnet in order to reach the resource behind the Firewall. the rule you have it wont all you to connect the vpn AC behind the firewall.

your nat rule should be in this order. I am writing the ASA code as I dont have FTD so you can work it around.

nat(inside,outside) source static local-network local-network destin static vpn-pool vpn-pool no proxy arp route-lookup.

please do not forget to rate.