Solved: Re: Issue with remote vpn on FDM 1010

hamzaadams · ‎01-04-2023

Hello,

Could someone help me on how I can access to a Vlan from my vpn subnet ( pool ) ?

VPN Pool is : 192.168.10.0/24
LAN : 192.168.1.0/24

Version of my firewall is :
Cisco Firepower 1010 Threat Defense

Thank you

Hamza

Rob Ingram · ‎01-04-2023

@hamzaadams you don't provide much information....but at a guess you may need a NAT exemption rule, example:-

You would also need an Access Control Policy rule to permit traffic to/from - 192.168.10.0/24 and 192.168.1.0/24

View solution in original post

Rob Ingram · ‎01-05-2023

@hamzaadams good to hear it's working.

Apparently mgmt of FDM using HTTPS/SSH over RAVPN still doesn't work - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926

View solution in original post

Rob Ingram · ‎01-04-2023

@hamzaadams you don't provide much information....but at a guess you may need a NAT exemption rule, example:-

You would also need an Access Control Policy rule to permit traffic to/from - 192.168.10.0/24 and 192.168.1.0/24

hamzaadams · ‎01-05-2023

Hello Rob,

Thank you for your prompt answer ...

Here is the NAT config :

When I check on my anyconnect client , I see this :

Split tunneling is allowed for all traffic.

however, I still not able to reach the LAN subnet ..

MHM Cisco World · ‎01-05-2023

the 208.67.222.222/32 is your FPR outside interface IP ?
if Yes then you need to not include it in split-tunnel
the split-tunnel is used only to access inside LAN
the outside of FPR must be routed via your client ISP link not via SSL tunnel.
that the issue I think.

Rob Ingram · ‎01-05-2023

@hamzaadams your Access Control rule is incorrect, the VPN Pool is not on the inside, it is on the outside.

You'd need rules as follows:

Src zone: inside Src: LAN network Dst zone: outside Dst: VPN Pool network

Src zone: outside Src: LAN network Dst zone: inside Dst: VPN Pool network

What is the configuration of your NAT rule?

You also previously said your internal LAN network was 192.168.1.0/24 , but you've not included that inside your split tunnel, you included 192.168.10.0/24 . You need to change that.

Marius Gunnerud · ‎01-05-2023

Are you trying to connect to your local network while at home connected to the office AnyConnect VPN or have you set up the FTD1010 at home and want to connect to your home LAN while away?

@MHM Cisco World 208.67.222.222 and 208.67.220.220 are Umbrella DNS IPs

--
Please remember to select a correct answer and rate helpful posts

hamzaadams · ‎01-05-2023

@Rob Ingram

NAT DONE =>

Now access from VPN to LAN is working

Split Tunneling has been changed , Lan is inside split tunneling.

Still one issue ....
I can reach vm in subnet LAN behind vpn , but when I try to connect to FDM1010 admin console via https://192.168.1.1. , it gives me the page of my modem which has the same ip but in my LAN not remote LAN ...
my LAN home and remote LAN has the same range

Rob Ingram · ‎01-05-2023

@hamzaadams good to hear it's working.

Apparently mgmt of FDM using HTTPS/SSH over RAVPN still doesn't work - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926

hamzaadams · ‎01-05-2023

Thank you so much for your help, I will put a VM on sperate vlan to reach the management.