04-06-2021 08:36 PM - edited 04-06-2021 08:50 PM
I am trying to forward port 443 to a local on prem proxy so I can host webservers. I also need remote access vpn enabled which as far as I can tell automatically enables the 443 service on the outside interface. This is happening even when I disable SSL and change the ports in the VPN config within FMC.
When I go to deploy the NAT rule to forward 443 while the VPN is enabled I get the following error.
[ManualNatRule 6] Interface used in translated source and port used in translated source port are also being used in VPN. Please re-configure the interface and/or port.
The only way I have gotten the port to forward is if I disable the VPN which is not an option. I've tried everything I can think of and have found on google including flexconfig commands like:
"group-policy DfltGrpPolicy attributes
no webvpn"
and
"webvpn
keepout "503 Service Unavailable"
and
"webvpn
portal-access-rule 1 deny any"
Which was found in the below bug report.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp81746/?rfs=iqvred
However none of these stop the FTD from binding the 443 service to the crypto ipsec config on the outside interface. Is there any way to stop that from happening?
Thank you!
Solved! Go to Solution.
04-09-2021 06:51 PM
This was solved by disabling ipsec on the access interface, and changing the ports on DTLS/SSL. Where can I put in a feature request to change the ipsec proposal port?
04-09-2021 09:55 AM
Can you check the connection profile, access interfaces tab? You need to change the web access port number and DTLS port number there to make sure the FTD is not listening on those. It will try to use 443 there for the client downloads and profile update even for an IKEv2 remote access VPN.
04-09-2021 03:50 PM
Hey Marvin,
Thanks for the reply. I've tried changing the port on the access interface tab to several different ports to no avail. In my initial post I attached a screenshot (vpnAI.png) showing it changed to port 8000 with dtls and ssl disabled. I've tried changing it to other ports as well like 8443, 8080, and random ephemeral ports but still no go. Even with these settings changed within FMC when I do a show run | i 443 I still get whats showing In the "showrun443.png" attached screenshot.
I'll give it another shot by trying to create a brand new policy from scratch. I am currently working with TAC on this issue as well and will update this post with further findings.
Thanks!
Sam
04-09-2021 04:39 PM
04-09-2021 06:51 PM
This was solved by disabling ipsec on the access interface, and changing the ports on DTLS/SSL. Where can I put in a feature request to change the ipsec proposal port?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide