cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
116
Views
0
Helpful
4
Replies
Highlighted
Beginner

Firepower VPN Hairpining on Outside Interface and Access Control Policy

Hello,

 

We are using a pair of Firepower 2110s running FTD version 6.5.0.4, managed with an FMC.  Remote VPN with anyconnect has been successfully configured with a split-tunnel arrangement of "tunnel all".  An outside/outside NAT rule was added to allow Internet traffic to hairpin back out the outside interface.  This is functioning and VPN users can access the Internet and the internal corporate LAN.  I may be missing something here, but the Internet traffic does not seem to be subject to any kind of access control policy and it just allowed by default.  Does this make sense, or is there a rule somewhere allowing this that I am missing?  What if I wanted to subject this Internet traffic to access control policy.  Is that possible, with an outside zone to outside zone rule?  If so, how is the traffic allowed now, with no such rule?  Any thoughts or experience with this would be appreciated.

 

Thank you,

 

Paul         

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Re: Firepower VPN Hairpining on Outside Interface and Access Control Policy

Hello,

 

So I think I have figured this out.  I had the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" option selected under VPN->Remote Access-><selected device>->Access Interfaces.  Once I de-selected this, the Internet traffic was blocked from ingress zone outside to egress zone outside. Adding access control policy to match the desired traffic, should restore the access.

 

Thank you,

 

Paul

 

View solution in original post

Highlighted
Rising star

Re: Firepower VPN Hairpining on Outside Interface and Access Control Policy

Hi,

  

     That should fix it, indeed. However, be aware that although you configure that rule for your VPN traffic, at the same time it applies to just clear-text traffic received from the Internet that matches it (not very likely, as the source would be your private VPN pool, but possible). To close this security gap, you would have to enable uRPF on your Internet facing interfaces.


Regards,

Cristian Matei.

View solution in original post

4 REPLIES 4
Highlighted
Beginner

Re: Firepower VPN Hairpining on Outside Interface and Access Control Policy

Hello,

 

So I think I have figured this out.  I had the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" option selected under VPN->Remote Access-><selected device>->Access Interfaces.  Once I de-selected this, the Internet traffic was blocked from ingress zone outside to egress zone outside. Adding access control policy to match the desired traffic, should restore the access.

 

Thank you,

 

Paul

 

View solution in original post

Highlighted
Rising star

Re: Firepower VPN Hairpining on Outside Interface and Access Control Policy

Hi,

  

     That should fix it, indeed. However, be aware that although you configure that rule for your VPN traffic, at the same time it applies to just clear-text traffic received from the Internet that matches it (not very likely, as the source would be your private VPN pool, but possible). To close this security gap, you would have to enable uRPF on your Internet facing interfaces.


Regards,

Cristian Matei.

View solution in original post

Highlighted
Beginner

Re: Firepower VPN Hairpining on Outside Interface and Access Control Policy

Cristian,

 

So to enable uRPF, I would need to select "Enable Anti Spoofing" under Interface->Advanced->Security Configuration for my outside interface in FMC.  Correct?

 

Thank you for the advice,

 

Paul

Highlighted
Rising star

Re: Firepower VPN Hairpining on Outside Interface and Access Control Policy

Hi,

 

   That is correct.

 

Cheers,

Cristian Matei.