cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1426
Views
0
Helpful
4
Replies
pntbaytel
Beginner

Firepower VPN Hairpining on Outside Interface and Access Control Policy

Hello,

 

We are using a pair of Firepower 2110s running FTD version 6.5.0.4, managed with an FMC.  Remote VPN with anyconnect has been successfully configured with a split-tunnel arrangement of "tunnel all".  An outside/outside NAT rule was added to allow Internet traffic to hairpin back out the outside interface.  This is functioning and VPN users can access the Internet and the internal corporate LAN.  I may be missing something here, but the Internet traffic does not seem to be subject to any kind of access control policy and it just allowed by default.  Does this make sense, or is there a rule somewhere allowing this that I am missing?  What if I wanted to subject this Internet traffic to access control policy.  Is that possible, with an outside zone to outside zone rule?  If so, how is the traffic allowed now, with no such rule?  Any thoughts or experience with this would be appreciated.

 

Thank you,

 

Paul         

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
pntbaytel
Beginner

Hello,

 

So I think I have figured this out.  I had the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" option selected under VPN->Remote Access-><selected device>->Access Interfaces.  Once I de-selected this, the Internet traffic was blocked from ingress zone outside to egress zone outside. Adding access control policy to match the desired traffic, should restore the access.

 

Thank you,

 

Paul

 

View solution in original post

Hi,

  

     That should fix it, indeed. However, be aware that although you configure that rule for your VPN traffic, at the same time it applies to just clear-text traffic received from the Internet that matches it (not very likely, as the source would be your private VPN pool, but possible). To close this security gap, you would have to enable uRPF on your Internet facing interfaces.


Regards,

Cristian Matei.

View solution in original post

4 REPLIES 4
pntbaytel
Beginner

Hello,

 

So I think I have figured this out.  I had the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" option selected under VPN->Remote Access-><selected device>->Access Interfaces.  Once I de-selected this, the Internet traffic was blocked from ingress zone outside to egress zone outside. Adding access control policy to match the desired traffic, should restore the access.

 

Thank you,

 

Paul

 

View solution in original post

Hi,

  

     That should fix it, indeed. However, be aware that although you configure that rule for your VPN traffic, at the same time it applies to just clear-text traffic received from the Internet that matches it (not very likely, as the source would be your private VPN pool, but possible). To close this security gap, you would have to enable uRPF on your Internet facing interfaces.


Regards,

Cristian Matei.

View solution in original post

Cristian,

 

So to enable uRPF, I would need to select "Enable Anti Spoofing" under Interface->Advanced->Security Configuration for my outside interface in FMC.  Correct?

 

Thank you for the advice,

 

Paul

Hi,

 

   That is correct.

 

Cheers,

Cristian Matei.

Content for Community-Ad