Config help on NGFW 2110 FDM - Shoretel VPN Concentrator

latintrpt · ‎11-02-2019

Hello -

I need some config help with deploying a Shoretel VPN concentrator in my network. Per the documentation, one leg would be connected to my 2110 on a dedicated DMZ port, the other leg would be connected to my LAN. The config on the 2110 would be done via FDM. How would I create the appropriate NAT and access control policies on my 2110?

I have attached screenshots from the Shoretel documentation. Any help would be appreciated.

Thank You

Francesco Molino · ‎11-02-2019

Hi

If i understood your requirements, you want to have any 443/tcp traffic coming to your outside interface to be forwarded to your router connected on your dmz zone, right?

If so, just be aware that if you have enabled vpn or outside management on your ftd, you won't be able to accomplish this because those features are using tcp/443.
If you don't have these features then:
- go to Policies and the Access Policies
- create a rule (order is important, if you're not sure you can place it at the top) that will authorize any ip from outside zone on port tcp/443 to your real dmz IP router as destination on zone dmz on port tcp/443.

Then go to Policies and NAT.
Create a new nat (order is also important, to not overlap or beeing overwritten by another rule)
- select auto nat and type static.
- select your dmz zone as source
- select your dmz router ip as source (if object isn't yet created, you can create it during the process clicking on the + sign from the dropdown menu)
- select https as original port
- select your firewall outside interface as translated interface.
- select interface as translated address
- select https as translated interface.

Finally you can deploy the config and everything should work as expected on the ftd (forwarding tcp/443 from your outside interface to your router dmz interface).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads · ‎11-03-2019

If you have multiple public addresses assigned to you from your ISP, you can use an address other that the firewall's public interface address for the Shoretel public NAT address.

I prefer to create the network objects first - like Shoretel-private and Shoretel-private. Then a NAT rule from DMZ-outside. then an ACP entry from outside-DMZ for the destination object Shoretel-private.

Something like this (except use your DMZ zone instead of the inside one I used):

FDM ObjectFDM NATFDM ACP Entry

latintrpt · ‎11-03-2019

Thank you so much, for the second leg going into the LAN-inside interface, is there any rules I need to put in place? I’m worried that if the VPN concentrator gets compromised (malware, virus) that it can infect LAN-inside since the VPN concentrator connects directly to it as well.

Marvin Rhoads · ‎11-03-2019

Generally speaking, if you don't trust your VPN concentrator to be secure (when properly configured) you should be looking at a different vendor's product.

Once you have setup a given trusted vendor per best practices we generally have the working assumption that it is secure (verified by occasional scans, frequent reading of release notes and subscribing to things like vulnerability announcements). Frankly you probably have much greater probability of one of your remote access users either being compromised or malicious. What (if anything) are you doing to protect against that?

Francesco Molino · ‎11-04-2019

Just to add up to what @marvin said, your traffic (vpn) will be encapsulated up to your router and from there it can access the LAN.
If you want to filter the access from your vpn terminated to your router before reaching your lan, you can move the lan interface into a different zone that will force the traffic to return to ftd for inspection before going back reality to your lan.
Having said that, i have to say though i don't see why you're using a router for vpn access in these circumstances.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question