09-19-2022 07:19 PM
Hello everyone,
I deployed a Cisco FTD using FDM and enabled VPN access to our internal network. I proceeded step by step, initiating with enabling smart license VPN.
I'm using local identity as a user logon, an internal certificate, split tunneling, and an IP pool assignment, and when I tried to connect to the VPN, it failed with errors "The connection attempt has timed out. Please check your internet connectivity."
For your information, I have a public IP with subnet /28 and I have configured NAT to access the web server using another IP rather than the same IP with VPN, the web server can be accessed without issue.
below is our NAT statement, web server IP 20x.xx4.x2.19 and interface IP for VPN is 20x.xx4.x2.18
nat (outside,inside) source static any any destination static websvr_20x.xx4.x2.19 webserver_10.100.100.2
!
object network IPv4-Private-10.0.0.0-8
nat (inside,outside) static interface
FTD version : 7.0.4
FPR model : 1150
Thank you in advance for your help.
Solved! Go to Solution.
10-18-2022 12:05 AM
@Azlan.my07 change the type of NAT to Dynamic and deploy.
10-17-2022 12:09 AM
Hi Azlan, could I know which document did you refer to? Please share the link let me know more about what kind of VPN(Remote access VPN or L2L VPN) you are setting.
And please check the network connectivity with 20x.xx4.x2.18.
10-17-2022 01:04 AM
Sorry, I noted that you are using RAVPN, please share the configuration guide you are referring to. You mentioned web server, is it used for VPN?
10-17-2022 06:51 PM
Hi Sherry,
I'm referring this guide > https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215532-configure-remote-access-vpn-on-ftd-manag.html
Web server actually from our user access to the internal server, not for VPN.
10-17-2022 09:56 AM
First, your NAT for 10.0.0.0-8 is incorrect. It should be dynamic, not static. As a static NAT, it may be taking up a connection on port 443 which would "break" the VPN in the way you are seeing.
Fix that and then, if you browse to the FTD's outside address using https, do you see the VPN login portal page?
10-17-2022 06:53 PM
Hi Marvin,
Thanks for your reply. Do you mean change type from Static to Dynamic? or source IP change to any? below is screenshot our outgoing NAT.
Thanks
10-18-2022 12:05 AM
@Azlan.my07 change the type of NAT to Dynamic and deploy.
10-19-2022 07:38 AM
@Marvin Rhoads Thank you so much, Marvin, it now works after changing to Dynamic. Thank you for helping, I'm glad learn something today.
10-19-2022 07:48 AM
You're welcome.
As a general rule, static NAT is only for 1-1 mapping of an inside address to an outside address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide