cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
860
Views
15
Helpful
8
Replies

Issue with remote vpn on FDM 1010

hamzaadams
Level 1
Level 1

Hello, 

Could someone help me on how I can access to a Vlan from my vpn subnet ( pool ) ? 

VPN Pool is : 192.168.10.0/24 
LAN : 192.168.1.0/24 

Version of my firewall is : 
Cisco Firepower 1010 Threat Defense

Thank you 

Hamza 

 

 

 

 

2 Accepted Solutions

Accepted Solutions

@hamzaadams you don't provide much information....but at a guess you may need a NAT exemption rule, example:-

nat exemption.png

You would also need an Access Control Policy rule to permit traffic to/from - 192.168.10.0/24 and 192.168.1.0/24 

View solution in original post

@hamzaadams good to hear it's working.

Apparently mgmt of FDM using HTTPS/SSH over RAVPN still doesn't work - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926

 

View solution in original post

8 Replies 8

@hamzaadams you don't provide much information....but at a guess you may need a NAT exemption rule, example:-

nat exemption.png

You would also need an Access Control Policy rule to permit traffic to/from - 192.168.10.0/24 and 192.168.1.0/24 

hamzaadams
Level 1
Level 1

Hello Rob, 

Thank you for your prompt answer ... 

Here is the NAT config : 

Screenshot 2023-01-05 at 13.28.23.png

 

When I check on my anyconnect  client , I see this : 

 

Screenshot 2023-01-05 at 13.31.20.png

Split tunneling is allowed for all traffic. 

however, I still not able to reach the LAN subnet .. 

 

the 208.67.222.222/32 is your FPR outside interface IP ?
if Yes then you need to not include it in split-tunnel 
the split-tunnel is used only to access inside LAN 
the outside of FPR must be routed via your client ISP link not via SSL tunnel. 
that the issue I think. 

@hamzaadams your Access Control rule is incorrect, the VPN Pool is not on the inside, it is on the outside.

You'd need  rules as follows:

Src zone: inside Src: LAN network  Dst zone: outside Dst: VPN Pool network

Src zone: outside Src: LAN network Dst zone: inside Dst: VPN Pool network

What is the configuration of your NAT rule?

You also previously said your internal LAN network was 192.168.1.0/24 , but you've not included that inside your split tunnel, you included 192.168.10.0/24 . You need to change that.

Are you trying to connect to your local network while at home connected to the office AnyConnect VPN or have you set up the FTD1010 at home and want to connect to your home LAN while away?

@MHM Cisco World 208.67.222.222 and 208.67.220.220 are Umbrella DNS IPs

--
Please remember to select a correct answer and rate helpful posts

hamzaadams
Level 1
Level 1

@Rob Ingram    

NAT DONE =>

Screenshot 2023-01-05 at 15.26.46.png

Now access from VPN to LAN is working

Split Tunneling has been changed , Lan is inside split tunneling.

Still one issue ....
I can reach vm in subnet LAN behind vpn , but when I try to connect to FDM1010 admin console via https://192.168.1.1. , it gives me the page of my modem which has the same ip but in my LAN not remote LAN ... 
my LAN home and remote LAN has the same range 

@hamzaadams good to hear it's working.

Apparently mgmt of FDM using HTTPS/SSH over RAVPN still doesn't work - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926

 

Thank you so much for your help, I will put a VM on sperate vlan to reach the management. 

Review Cisco Networking for a $25 gift card