09-12-2024 09:51 PM
Hi,
Is it possible on FTD to access a public IP assigned to outside interface from the inside network? We have the usecase where users are using AnyConnect and want to access the VPN peer from a guest network provided by the firewall. As they are switching often from home office to real office and keep their notebook in standby, AnyConnect keeps running, has cached the IP address of the VPN peer.
On ASA we're using multiple contexts for this. One for AnyConnect and a second one for outbound internet traffic.
Is this possible on FTD without using contexts or separate physical boxes? For branch offices this would require two HA pairs of FTD 1000 series. We've had so many software bugs and feature limitations with multiple contexts on ASA I don't want to have multiple contexts anymore on next generation firewalls.
I've learned that the FTD 3100 series and higher can run FTD as docker containers (multi instance mode), but that's oversized for a branch office internet edge firewall. One box costs about the same as a car.
Thanks in advance,
Bernd
09-12-2024 10:56 PM
You can simply run webvpn in inside interface'
This make user internal to use anyconnect to access other zone in ftd
MHM
09-12-2024 11:42 PM
I know. But AnyConnect caches the public IP address of the VPN peer when connecting from outside. If internal DNS entry for VPN peer uses inside address, the AnyConnect daemon or notebook needs to be restarted to resolve to the different IP. That's too inconvenient for our users.
Guest network uses public DNS servers and just does dynamic NAT to a public IP. In the past we used little ASA firewalls for the guest network to be able to provide that functionality until it got replaced with ASA-X and multiple contexts. I hoped that FTD in the meantime is clever enough to allow accessing outside interface IPs from inside. Maybe a NAT rule that maps public IP to inside IP when request comes from inside?
09-12-2024 11:47 PM
FTD also use hairpin NAT
INSIDE NATing to Public IP when Inside is try to access Outside
if that what you looking for
https://integratingit.wordpress.com/2021/07/11/ftd-nat-reflection/
MHM
09-12-2024 11:57 PM
Thanks. Have to try if that works to direct traffic from inside network requesting public interface IP to inside interface IP and enable webvpn also on inside interface.
nat (inside,inside) source static Internal-LAN interface destination static asa-outside-ip asa-inside-ip
webvpn
enable outside
enable inside
...
09-13-2024 12:03 AM
I dont get your requirements
Hairpin will NAT Inside to Outside and hence the internal host can access internal server that have dns public IP in dns.
Why you need webvpn for internal then?
MHM
09-17-2024 06:25 AM
I tried that NAT reflection rule. It works for mapping any public IP address to an inside server IP address, but it does not work when using firewall outside/inside interface IP addresses.
09-13-2024 12:12 AM
The guest network does not have access to our internal network. It is just for internet access for guests or for users who want to use AnyConnect instead of wireless 802.1x so they can keep their AnyConnect always running whether they work from home or abroad or in the office.
I'm looking for a solution to provide that functionality without using separate firewalls. Separate interface for guest network and inside network on same firewall.
09-13-2024 03:18 AM
Would using AnyConnect Trusted Network Detection be an option?
09-17-2024 06:23 AM
That would work from corporate office network, but not guest network. I was looking for a solution to provide a guest network that allows AnyConnect to local site without using dedicated firewall boxes or multiple contexts.
11-28-2024 02:21 AM
Digged a bit deeper into FTD features and looked at the inline interface sets. Would it be possible to create two interfaces for an inline set that connect the public internet form the provider and behind a dedicated FTD for AnyConnect VPN? Are then the public IP address of the VPN device (labeled FTD2a/2b) accessible through the internet edge FTDs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide