Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2479
Views
0
Helpful
4
Replies

Firepower VPN Hairpining on Outside Interface and Access Control Policy

Go to solution
pncisco216
Level 1
Level 1

‎03-26-2020 06:53 AM

Hello,

 

We are using a pair of Firepower 2110s running FTD version 6.5.0.4, managed with an FMC.  Remote VPN with anyconnect has been successfully configured with a split-tunnel arrangement of "tunnel all".  An outside/outside NAT rule was added to allow Internet traffic to hairpin back out the outside interface.  This is functioning and VPN users can access the Internet and the internal corporate LAN.  I may be missing something here, but the Internet traffic does not seem to be subject to any kind of access control policy and it just allowed by default.  Does this make sense, or is there a rule somewhere allowing this that I am missing?  What if I wanted to subject this Internet traffic to access control policy.  Is that possible, with an outside zone to outside zone rule?  If so, how is the traffic allowed now, with no such rule?  Any thoughts or experience with this would be appreciated.

 

Thank you,

 

Paul         

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
pncisco216
Level 1
Level 1

‎03-26-2020 08:04 AM

Hello,

 

So I think I have figured this out.  I had the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" option selected under VPN->Remote Access-><selected device>->Access Interfaces.  Once I de-selected this, the Internet traffic was blocked from ingress zone outside to egress zone outside. Adding access control policy to match the desired traffic, should restore the access.

 

Thank you,

 

Paul

 

View solution in original post

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to pncisco216

‎03-26-2020 01:24 PM

Hi,

  

     That should fix it, indeed. However, be aware that although you configure that rule for your VPN traffic, at the same time it applies to just clear-text traffic received from the Internet that matches it (not very likely, as the source would be your private VPN pool, but possible). To close this security gap, you would have to enable uRPF on your Internet facing interfaces.


Regards,

Cristian Matei.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
pncisco216
Level 1
Level 1

‎03-26-2020 08:04 AM

Hello,

 

So I think I have figured this out.  I had the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" option selected under VPN->Remote Access-><selected device>->Access Interfaces.  Once I de-selected this, the Internet traffic was blocked from ingress zone outside to egress zone outside. Adding access control policy to match the desired traffic, should restore the access.

 

Thank you,

 

Paul

 

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to pncisco216

‎03-26-2020 01:24 PM

Hi,

  

     That should fix it, indeed. However, be aware that although you configure that rule for your VPN traffic, at the same time it applies to just clear-text traffic received from the Internet that matches it (not very likely, as the source would be your private VPN pool, but possible). To close this security gap, you would have to enable uRPF on your Internet facing interfaces.


Regards,

Cristian Matei.

0 Helpful

Go to solution
pncisco216
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 01:39 PM

Cristian,

 

So to enable uRPF, I would need to select "Enable Anti Spoofing" under Interface->Advanced->Security Configuration for my outside interface in FMC.  Correct?

 

Thank you for the advice,

 

Paul

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to pncisco216

‎03-26-2020 01:56 PM

Hi,

 

   That is correct.

 

Cheers,

Cristian Matei.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card