Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
0
Helpful
7
Replies

Firepower 1010 Unable to Connect to LAN Devices

mlandavazo
Level 1
Level 1

‎11-17-2021 12:50 PM

I've got a Firepower 1010 set up (FTD via FDM) as a remote VPN device and I am unable to see devices on the LAN when I connect to the VPN.

 

The device is connected to the LAN via the Management interface, where it is automatically assigned an IP address on the LAN by the management network. What do I need to do to see my LAN devices while connected to VPN>

 

 

 

Preview file
47 KB
Preview file
73 KB
Preview file
92 KB
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎11-17-2021 12:55 PM

@mlandavazo

You need to configure an Access Control rule from source "outside" to destination "inside" permitting traffic, you don't have that currently.

You also need a NAT exemption rule between the inside network and the outside (RAVPN) network that does not translate the traffic.

0 Helpful

mlandavazo
Level 1
Level 1
In response to Rob Ingram

‎11-17-2021 01:08 PM

@Rob Ingram Thank you, I had an Access Control rule like that in place but was still not able to connect, so NAT is most likely the issue. Is the attached rule what I should implement?

 

Preview file
67 KB
0 Helpful

mlandavazo
Level 1
Level 1
In response to mlandavazo

‎11-17-2021 01:14 PM

@Rob Ingram I found some info on NAT Exempt rules and made the attached changes.

Preview file
81 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to mlandavazo

‎11-17-2021 01:24 PM

@mlandavazo I'm not sure what your intention is by using the diagnostic interface? The Diagnostic interface only allows management traffic, and does not allow through traffic.

 

Connect to a data interface, assign an IP address and ensure this is a member of the "inside_zone" zone, write your NAT and ACP rules referring to the "inside_zone".

0 Helpful

mlandavazo
Level 1
Level 1
In response to Rob Ingram

‎11-17-2021 01:38 PM

@Rob Ingram I wasn't aware that the management interface could not also be used to allow through traffic. I'll connect to a data interface and see what I can do. 

 

Do you foresee any issues if I create a LAN network object and assign it the following IP range that our LAN uses? 192.168.0.0/16

0 Helpful

mlandavazo
Level 1
Level 1
In response to Rob Ingram

‎11-17-2021 02:44 PM

@Rob Ingram  I removed an ethernet port from the bridge group, connected it to our LAN, and gave it an IP address. From here I can just create the rules you mentioned?

Preview file
77 KB
0 Helpful

mlandavazo
Level 1
Level 1
In response to mlandavazo

‎11-17-2021 03:15 PM - edited ‎11-17-2021 03:59 PM

@Rob Ingram Still cannot ping any local devices. I've attached my NAT rule, firewall access rule, and the network object I created for our LAN IP range. Attached pertinent RA VPN rules as well.

Preview file
15 KB
Preview file
5 KB
Preview file
71 KB
Preview file
44 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card