Solved: Firepower 1120, not passing traffic through ssl vpn

mnowicky · ‎07-03-2023

Have an issue with firepower 1120 not passing traffic from ssl vpn to the internal networks. The anyconnect client is able to connect, and provides an IP in the correct pool, however will not route traffic between vpn and internal networks.

The odd thing is that the default gateway assigned to vpn clients is not correct. The correct gateway is 172.30.100.254, while the assigned gateway and subnet mask are wrong, as follows:

subnet: 255.255.0.0
Gateway: 172.30.0.1

I read that it is correct for the subnet mask to be like that, however something definitely seems wrong. The Firepower appliance is able to ping both the connected client, and hosts in the internal network, but will not pass traffic.

Rob Ingram · ‎07-03-2023

@mnowicky you probably need a NAT exemption rule to ensure traffic between the inside networks and the RAVPN pool network is not unintentially translated.

Example if using FDM to locally manage the FTD:-

I assume the core switch default route is via the 1120 firewall, so no routing issues?

View solution in original post

Rob Ingram · ‎07-03-2023

@mnowicky you probably need a NAT exemption rule to ensure traffic between the inside networks and the RAVPN pool network is not unintentially translated.

Example if using FDM to locally manage the FTD:-

I assume the core switch default route is via the 1120 firewall, so no routing issues?

mnowicky · ‎07-03-2023

That was it, thank you so much!