Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
1
Replies

Connect with anyconnect to ftd internal interface eg. guest-wlan

pf
Level 1
Level 1

‎03-21-2023 10:35 AM

Hi to all

I have to configure anyconnect from the guest-wlan with external dns-servers configured. NAT is needed to translate the public ip addresse of the firewall outside interface to the private ip adress of the firewall-interface terminating the guest-wlan (172.16.2.1)

show nat detail
17 (guest_clients) to (guest_clients) source static E_N_GUEST_CLIENTS E_N_GUEST_CLIENTS destination static E_H_VPN.xy_PUBLIC E_H_VPN.xy_INTERNAL
translate_hits = 22999, untranslate_hits = 22999
Source - Origin: 172.16.2.0/24, Translated: 172.16.2.0/24
Destination - Origin: x.y.z.z/32, Translated: 172.16.2.1/32

NAT should be ok, but when I open a browser from a client in the guest wlan https://vpn.xy gives a timeout. Connecting to the internal interface ip https://172.16.2.1 shows  the anyconnect login prompt

Anyone already configured that on an FTD 1120?

Model : Cisco Firepower 1140 Threat Defense (78) Version 7.0.4 (Build 55)
UUID : 294b33ba-4192-11eb-8474-ea085202e07d
Rules update version : 2023-03-15-001-vrt
VDB version : 361
----------------------------------------------------

Cisco Adaptive Security Appliance Software Version 9.16(3)18
SSP Operating System Version 2.10(1.208)

Regards
Peter

0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎03-31-2023 07:54 AM

Hello Peter,

Your NAT configuration appears to be correct, but it seems like there might be an issue with the access rules or routing. Here are a few steps to help troubleshoot the issue:

1. Verify that there is an access rule allowing traffic from the guest-wlan network to the public IP address of the VPN (x.y.z.z) on the outside interface. The access rule should permit HTTPS (TCP port 443) traffic.

2. Check if there is a route for the guest-wlan subnet (172.16.2.0/24) on the FTD 1120. If not, add a route pointing to the appropriate gateway.

3. Ensure that the VPN profile on the FTD 1120 is configured to accept connections from the guest-wlan network (172.16.2.0/24).

4. Test connectivity from the guest-wlan network to the public IP address (x.y.z.z) using a tool like ping or traceroute to determine if there are any routing issues.

5. Check the logs on the FTD 1120 for any relevant information regarding the connection attempts from the guest-wlan network. This might reveal any issues related to access rules or VPN profile configuration.

If you are still experiencing issues after checking these steps, I recommend opening a support case with Cisco TAC for further assistance.

Best regards,
Cisco Virtual Engineer
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card