Re: FirePower Routing

Shultz777 · ‎06-15-2022

I have a lab were I am trying to get VPN AnyConnect traffic to access a server on vlan 10 of the inside network. But it wont reach the server, I can access everything on Vlan 1. The server can ping and traceroute to the VPN client, VPN client cannot ping and tracert fails at first hop.

I have sub interface on Firepower for VLAN's on inside interface from what I understand that creates a trunk port for Firepower devices.

I have Nat rules in place and added Vlan address to ACL for VPN traffic.

IP schema:

VPN - 10.10.101.0/24 (Vlan 1 can access / Vlan 10 can reach)

VLAN10 - 192.168.10.0/24 (All Vlans can reach on internal network, VPN cannot reach)

VLAN1 - 192.168.1.0/24 (VPN can access both ways)

Not sure what I am missing??

balaji.bandi · ‎06-15-2022

wht you see in the Logs, when the VPN user try to access server, what you see in the Logs ?

Just thinking, you may not have ACL in place from VPN IP address to Server IP (this just guess)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Shultz777 · ‎06-15-2022

I don't see anything in the logs on firepower or Anyconnect about failed connections. I added the VLan address to same ACL that connects Vlan 1 to VPN still no connection.

MHM Cisco World · ‎06-15-2022

In fw you need

Static route toward the interface connect to vlan 10

In other side you need static route of anyconnect pool to interface of FW

Mohammed al Baqari · ‎06-15-2022

Hi,

Have you created nonat rules in firepower for vlan 10 to reach the vpn pool
without natting.? You need to create twice nat to ensure source and
destination are not changed with connecting from vpn to vlan 10 (don't use
no-proxy or routing options)

***** please remember to rate useful posts