03-26-2020 06:53 AM
Hello,
We are using a pair of Firepower 2110s running FTD version 6.5.0.4, managed with an FMC. Remote VPN with anyconnect has been successfully configured with a split-tunnel arrangement of "tunnel all". An outside/outside NAT rule was added to allow Internet traffic to hairpin back out the outside interface. This is functioning and VPN users can access the Internet and the internal corporate LAN. I may be missing something here, but the Internet traffic does not seem to be subject to any kind of access control policy and it just allowed by default. Does this make sense, or is there a rule somewhere allowing this that I am missing? What if I wanted to subject this Internet traffic to access control policy. Is that possible, with an outside zone to outside zone rule? If so, how is the traffic allowed now, with no such rule? Any thoughts or experience with this would be appreciated.
Thank you,
Paul
Solved! Go to Solution.
03-26-2020 08:04 AM
Hello,
So I think I have figured this out. I had the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" option selected under VPN->Remote Access-><selected device>->Access Interfaces. Once I de-selected this, the Internet traffic was blocked from ingress zone outside to egress zone outside. Adding access control policy to match the desired traffic, should restore the access.
Thank you,
Paul
03-26-2020 01:24 PM
Hi,
That should fix it, indeed. However, be aware that although you configure that rule for your VPN traffic, at the same time it applies to just clear-text traffic received from the Internet that matches it (not very likely, as the source would be your private VPN pool, but possible). To close this security gap, you would have to enable uRPF on your Internet facing interfaces.
Regards,
Cristian Matei.
03-26-2020 08:04 AM
Hello,
So I think I have figured this out. I had the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" option selected under VPN->Remote Access-><selected device>->Access Interfaces. Once I de-selected this, the Internet traffic was blocked from ingress zone outside to egress zone outside. Adding access control policy to match the desired traffic, should restore the access.
Thank you,
Paul
03-26-2020 01:24 PM
Hi,
That should fix it, indeed. However, be aware that although you configure that rule for your VPN traffic, at the same time it applies to just clear-text traffic received from the Internet that matches it (not very likely, as the source would be your private VPN pool, but possible). To close this security gap, you would have to enable uRPF on your Internet facing interfaces.
Regards,
Cristian Matei.
03-26-2020 01:39 PM
Cristian,
So to enable uRPF, I would need to select "Enable Anti Spoofing" under Interface->Advanced->Security Configuration for my outside interface in FMC. Correct?
Thank you for the advice,
Paul
03-26-2020 01:56 PM
Hi,
That is correct.
Cheers,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide