Re: FTD: Access outside interface from inside?

Bernd Nies · ‎09-12-2024

Hi,

Is it possible on FTD to access a public IP assigned to outside interface from the inside network? We have the usecase where users are using AnyConnect and want to access the VPN peer from a guest network provided by the firewall. As they are switching often from home office to real office and keep their notebook in standby, AnyConnect keeps running, has cached the IP address of the VPN peer.

On ASA we're using multiple contexts for this. One for AnyConnect and a second one for outbound internet traffic.

Is this possible on FTD without using contexts or separate physical boxes? For branch offices this would require two HA pairs of FTD 1000 series. We've had so many software bugs and feature limitations with multiple contexts on ASA I don't want to have multiple contexts anymore on next generation firewalls.

I've learned that the FTD 3100 series and higher can run FTD as docker containers (multi instance mode), but that's oversized for a branch office internet edge firewall. One box costs about the same as a car.

Thanks in advance,

Bernd

MHM Cisco World · ‎09-12-2024

You can simply run webvpn in inside interface'

This make user internal to use anyconnect to access other zone in ftd

MHM

Bernd Nies · ‎09-12-2024

I know. But AnyConnect caches the public IP address of the VPN peer when connecting from outside. If internal DNS entry for VPN peer uses inside address, the AnyConnect daemon or notebook needs to be restarted to resolve to the different IP. That's too inconvenient for our users.

Guest network uses public DNS servers and just does dynamic NAT to a public IP. In the past we used little ASA firewalls for the guest network to be able to provide that functionality until it got replaced with ASA-X and multiple contexts. I hoped that FTD in the meantime is clever enough to allow accessing outside interface IPs from inside. Maybe a NAT rule that maps public IP to inside IP when request comes from inside?

MHM Cisco World · ‎09-12-2024

FTD also use hairpin NAT
INSIDE NATing to Public IP when Inside is try to access Outside
if that what you looking for

https://integratingit.wordpress.com/2021/07/11/ftd-nat-reflection/

MHM

Bernd Nies · ‎09-12-2024

Thanks. Have to try if that works to direct traffic from inside network requesting public interface IP to inside interface IP and enable webvpn also on inside interface.

nat (inside,inside) source static Internal-LAN interface destination static asa-outside-ip asa-inside-ip

webvpn
  enable outside
  enable inside
  ...

MHM Cisco World · ‎09-13-2024

I dont get your requirements

Hairpin will NAT Inside to Outside and hence the internal host can access internal server that have dns public IP in dns.

Why you need webvpn for internal then?

MHM

Bernd Nies · ‎09-17-2024

I tried that NAT reflection rule. It works for mapping any public IP address to an inside server IP address, but it does not work when using firewall outside/inside interface IP addresses.

Bernd Nies · ‎09-13-2024

The guest network does not have access to our internal network. It is just for internet access for guests or for users who want to use AnyConnect instead of wireless 802.1x so they can keep their AnyConnect always running whether they work from home or abroad or in the office.

I'm looking for a solution to provide that functionality without using separate firewalls. Separate interface for guest network and inside network on same firewall.

Aref Alsouqi · ‎09-13-2024

Would using AnyConnect Trusted Network Detection be an option?

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.1 - Configure VPN Access [Cisco Secure Client (including AnyConnect)] - Cisco

Bernd Nies · ‎09-17-2024

That would work from corporate office network, but not guest network. I was looking for a solution to provide a guest network that allows AnyConnect to local site without using dedicated firewall boxes or multiple contexts.