cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2887
Views
15
Helpful
5
Replies

Cisco FMC/FTD - RAVPN - Need to route specific IPs via RAVPN

shabeeb
Level 1
Level 1

Hi, 

 

Once im connected to my RAVPN, I want to ensure traffic to a specific Public IP flows through my RAVPN tunnel at all times. Any advice?

 

TIA, 

Shabeeb

5 Replies 5

Hi,

How is your RAVPN configured?

if you are using full tunnel then all ip addresses will be tunnelled back to the FTD. If using split tunnel, then you should include the public IP address in the tunnel to ensure it is tunnelled back.

 

If the public IP address is actually hosted in the internet, then you will need a Nat rule from source outside to destination outside and Nat behind the outside interface.

 

HTH

Hi Rob,

Im using split tunneling & these IPs are part of the permitted ACL group.

As you mentioned, these IPs are actually hosted on the internet. Let me do the NAT and check.

TIA,
Shabeeb

Also, double check you’ve got a firewall rule permitting traffic to the internet

Hi Rob, 

 

Unfortunately its not working. I can see the traffic is being routed via the firewall successfully, but the service is not working.

 

To give you a little insight into what im trying to achieve - (attached a small drawing of the main components being used, just something i did in paint)

  • We have Microsoft SFB Federation services enabled between sip.local.com & sip.remote.com
  • Everything (including IM, Calls, Content sharing) works between My Local LAN & Remote Site
  • Everything (including IM, Calls, Content sharing) works between external users & Remote Site (i.e. since the SFB services are published outside, anyone in the internet can login to SFB & work)
  • Only IM works between My VPN Users & Remote Site
    • Calls & Content sharing fails

My observations

Remote site have enabled federation services to sip.local.com

  • This URL is NATted to our Edge DMZ
  • This Edge DMZ then has all the relevant routes to my local network & my vpn network
  • Hence, as far as local SFB Edge is concerned, it has successful routes to both (local & vpn) network

I tried to telnet sip.remote.com on port 5061 - the response is as below

  • My Local LAN - it works fine
  • Open internet from home (without VPN) - it works fine
  • VPN connected - it does not work

So as far as Remote Site is concerned, they are receiving the traffic successfully

  • i.e. if it comes from my Local Subnet, everything works fine.
  • but if it comes from my VPN Subnet, the routing issues comes into play
    • Im suspecting there is no reverse route from Remote Site to my VPN subnet

Is my understanding correct???

 

TIA, 

Shabeeb

 

 

 

 

 

Is the traffic towards the SIP service NATTED behind the outside interface of the FW?
If so, then the RAVPN networks should appear from the same source IP address. If traffic it is routed, then you would need to ensure that the other end has a route back.

Run packet-tracer from the CLI and provide the output
Review Cisco Networking for a $25 gift card