Solved: Re: FTD Route Based VPN Question

N3om · ‎04-16-2026

Hi
Can I add a Nat exemption rule after I have created a Route based VPN on FTD or do I need to select it when configuring the VPN ??

Thanks

Rob Ingram · ‎04-16-2026

@N3om ok in that case, yes you are correct you must use "any" as the interface; as you cannot explicitly specify interface names when using a VTI. In which case your NAT rule sohuld work and would just route traffic from "STAFF-Network" IP addresses over the VTI to any destination. I assume the upstream device would handle the NAT.

View solution in original post

Rob Ingram · ‎04-16-2026

@N3om you can create the NAT exemption rule(s) after the VPN topology has been configured no problem.

N3om · ‎04-16-2026

@Rob Ingram Ok thanks does the below look like a valid Nat exemption ??

111 (STAFF_INTERNET) to (any) source static STAFF-Network STAFF-Network destination static any -ipv4 any-ipv4

Rob Ingram · ‎04-16-2026

@N3om yes, but I would recommend not to use "any" as the destination interface and ideally not the destination networks either, be specific.

N3om · ‎04-16-2026

The destination Interface is a VTI which I dont think is supported in the NAT rule and the any Network is for Internet so cant do anything with that.?

Rob Ingram · ‎04-16-2026

@N3om ok in that case, yes you are correct you must use "any" as the interface; as you cannot explicitly specify interface names when using a VTI. In which case your NAT rule sohuld work and would just route traffic from "STAFF-Network" IP addresses over the VTI to any destination. I assume the upstream device would handle the NAT.

Marvin Rhoads · ‎04-17-2026

@N3om We usually do not need to do NAT exemption on VTI-based S2S VPN since the "normal" NAT rules don't apply to traffic to/from VTI interfaces.