Hi,
I'm thinking about follwing internet edge FTD setup for branch offices. Firewall pair FTD1a/b has two interfaces in public provider outside VLAN.
- Interface "inline-outside" is an inline-set to threat protect access to AnyConnect VPN peer FTD2a/b because FTD still is lacking threat-protection for control-plane traffic. One would do IPS here and also block access via geolocation objects.
- Interface "outside" is a routed interface for dynamic NAT and outbound internet access from internal network and office network.
The local AnyConnect VPN peer on FTD2a/b should be accessible from the local guest network, hence it can't be on the same firewall that provides outbound access (FTD1a/b). In the lab I did such a setup and am able to access from inside through FTD1a/b the outside IP of the device FTD2a/b behind the inline interface.
Is this a supported and common setup or am I walking here on uncharted territory full of boobie traps?
When looking on FMC connection events, I see that the unicast traffic that FTD1a/b receives from inside and should be sent to the router also is sent to the inline interface. Is this normal? I would expect only to see broadcast traffic from the same VLAN to be seen on the inline interface. The FMC management guide [1] states: "Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped." So inline interface behaves like a hub and not a switch?
An alternative would be a FTD pair in transparent mode to do threat-protection of AnyConnect VPN peer, but then this would require one additional firewall pair.
Thanks in advance for enlightenment.
Regards,
Bernd
