Solved: How to setup only S2S VPN and RAVPN will pass FTD Device

Herald Sison · ‎11-09-2023

Hi Experts,

one of our clients are thinking of utilizing their ASA5515X device with FTD7.0.5 via FMC 7.0.5 and they want it for S2S VPN and RAVPN via cisco any connect only so basically all internet traffic will pass from their Sophos firewall.

The Sophos has a static route (like this) -

route OUTSIDE1 0.0.0.0 0.0.0.0 61.555.555.555
route OUTSIDE2 0.0.0.0 0.0.0.0 43.999.999.999
route INSIDE 1.1.1.0.0 255.255.0.0 1.1.1.2 1

the core has a static route to sophos (like this) -

ip route 0.0.0.0 0.0.0.0 1.1.1.1

So whenever i integrate their FTD in to the mix, my questions are below:

1) what would be the routing looked like for my FTD with 1 Outside Interface and 1 Inside

2) Would it cause some conflict in the network (knowing no internet traffic passing through FTD and only to SOphos)

Here is the setup we want to achieve.

Thank you and more power!

Rob Ingram · ‎11-10-2023

@Herald Sison no you cannot have these routes, they will conflict.

ip route 0.0.0.0 0.0.0.0 1.1.1.1 - this route is for all internet access via Sophos ngfw
ip route 0.0.0.0 0.0.0.0 1.1.1.3 - this route is for all S2S-VPN/RAVPN access via FTD ngfw

You need more specific routes for the remote VPN networks and a single default route (0.0.0.0/0.0.0.0 via the Sophos FW).

ip route 0.0.0.0 0.0.0.0 1.1.1.1 - default route via Sophos ngfw
ip route 10.10.10.0 255.255.255.0 1.1.1.1 - example RAVPN ip pool
ip route 192.168.10.0 255.255.255.0 1.1.1.1 - example S2S remote network
ip route 192.168.20.0 255.255.255.0 1.1.1.1 - example S2S remote network

Therefore any VPN network will be routed to the FTD and any network that does not match those more specific routes will be routed via the default route. Create a static route for each S2S VPN remote network (as per the crypto ACL that defines interesting traffic) and the RAVPN pool network.

Those NAT rules provided are NAT exemption rules and would be required to ensure traffic is not unintentially translated. However if no internet traffic is being routed via the FTD is unlikely you'd have another auto NAT rule that would unintentially translate the traffic, so the NAT exemption rule would not be required in that scenario.

View solution in original post

Rob Ingram · ‎11-10-2023

@Herald Sison no it won't cause a conflict if the sophos firewall is routing all internet traffic, it is quite common to have a dedicated VPN concentrator.

You will need to configure routes on the core switch with a next hop of the FTD inside interface IP address for the RAVPN IP pool network and all the S2S remote VPN networks.

The FTD must have routes (static/dynamic) with a next hop of the core switch IP address for all the internal networks connected to the core. The FTD will obviously require a default route to the internet.

Optional, but if you wanted all internet traffic of the RAVPN users to be routed via the Sophos (instead of hairpinning via the FTD) you can configure a tunneled default route via the core switch (this route will apply to VPN tunneled traffic only). https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/static_and_default_routes_for_firepower_threat_defense.html

Herald Sison · ‎11-10-2023

Hi Sir,

Just to be clear with everything, can i do these configs below?

static routes on the FTD side:

route VPN-OUT 0.0.0.0 0.0.0.0 32.333.333.333
route VPN-IN 1.1.1.0.0 255.255.0.0 1.1.1.2 1

static routes on the Cisco Core switch:

ip route 0.0.0.0 0.0.0.0 1.1.1.1 - this route is for all internet access via Sophos ngfw

ip route 0.0.0.0 0.0.0.0 1.1.1.3 - this route is for all S2S-VPN/RAVPN access via FTD ngfw

Will this 2 routes will not cause conflict? I was thinking that core switch traffic would be confused which one route should the traffic go or its up to the FTD NAT CONFIG if it is correctly configured?

So for the NAT in FTD i will only add NAT like this for VPNS

nat (VPN-IN,VPN-OUT) source static S2S_VPN_OBJ S2S_VPN_OBJ destination static OFFSITE_VLAN_24 OFFSITE_VLAN_24 no-proxy-arp

nat (VPN-IN,VPN-OUT) source static INSIDE_Subnet INSIDE_Subnet destination static RAVPN-pool RAVPN-pool no-proxy-arp route-lookup

Are these config correct sir?

with these diagram below as basis:

Rob Ingram · ‎11-10-2023

@Herald Sison no you cannot have these routes, they will conflict.

ip route 0.0.0.0 0.0.0.0 1.1.1.1 - this route is for all internet access via Sophos ngfw
ip route 0.0.0.0 0.0.0.0 1.1.1.3 - this route is for all S2S-VPN/RAVPN access via FTD ngfw

You need more specific routes for the remote VPN networks and a single default route (0.0.0.0/0.0.0.0 via the Sophos FW).

ip route 0.0.0.0 0.0.0.0 1.1.1.1 - default route via Sophos ngfw
ip route 10.10.10.0 255.255.255.0 1.1.1.1 - example RAVPN ip pool
ip route 192.168.10.0 255.255.255.0 1.1.1.1 - example S2S remote network
ip route 192.168.20.0 255.255.255.0 1.1.1.1 - example S2S remote network

Therefore any VPN network will be routed to the FTD and any network that does not match those more specific routes will be routed via the default route. Create a static route for each S2S VPN remote network (as per the crypto ACL that defines interesting traffic) and the RAVPN pool network.

Those NAT rules provided are NAT exemption rules and would be required to ensure traffic is not unintentially translated. However if no internet traffic is being routed via the FTD is unlikely you'd have another auto NAT rule that would unintentially translate the traffic, so the NAT exemption rule would not be required in that scenario.

Herald Sison · ‎11-10-2023

Aha! Gotcha! Thanks Sir, How about ACP do i need to add ACP rules? or Just bypass ACP in both RAVPN and S2SVPN (enabling sysopt-permit-vpn)?

like this one below

Rob Ingram · ‎11-10-2023

@Herald Sison that's your decision whether to bypass Access Control for VPN traffic. I would personally not bypass Access Control, and create Access Control rules to explictly permit traffic, anything not permitting is denied.

Herald Sison · ‎11-10-2023

Thanks sir! More power!