Solved: RAVPN for FTD

Azlan.my07 · ‎09-19-2022

Hello everyone,

I deployed a Cisco FTD using FDM and enabled VPN access to our internal network. I proceeded step by step, initiating with enabling smart license VPN.

I'm using local identity as a user logon, an internal certificate, split tunneling, and an IP pool assignment, and when I tried to connect to the VPN, it failed with errors "The connection attempt has timed out. Please check your internet connectivity."

For your information, I have a public IP with subnet /28 and I have configured NAT to access the web server using another IP rather than the same IP with VPN, the web server can be accessed without issue.

below is our NAT statement, web server IP 20x.xx4.x2.19 and interface IP for VPN is 20x.xx4.x2.18

nat (outside,inside) source static any any destination static websvr_20x.xx4.x2.19 webserver_10.100.100.2
!
object network IPv4-Private-10.0.0.0-8
nat (inside,outside) static interface

FTD version : 7.0.4

FPR model : 1150

Thank you in advance for your help.

Marvin Rhoads · ‎10-18-2022

@Azlan.my07 change the type of NAT to Dynamic and deploy.

View solution in original post

Sherry Pang · ‎10-17-2022

Hi Azlan, could I know which document did you refer to? Please share the link let me know more about what kind of VPN(Remote access VPN or L2L VPN) you are setting.

And please check the network connectivity with 20x.xx4.x2.18.

Sherry Pang · ‎10-17-2022

Sorry, I noted that you are using RAVPN, please share the configuration guide you are referring to. You mentioned web server, is it used for VPN?

Azlan.my07 · ‎10-17-2022

Hi Sherry,

I'm referring this guide > https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215532-configure-remote-access-vpn-on-ftd-manag.html

Web server actually from our user access to the internal server, not for VPN.

Marvin Rhoads · ‎10-17-2022

First, your NAT for 10.0.0.0-8 is incorrect. It should be dynamic, not static. As a static NAT, it may be taking up a connection on port 443 which would "break" the VPN in the way you are seeing.

Fix that and then, if you browse to the FTD's outside address using https, do you see the VPN login portal page?

Azlan.my07 · ‎10-17-2022

Hi Marvin,

Thanks for your reply. Do you mean change type from Static to Dynamic? or source IP change to any? below is screenshot our outgoing NAT.

Thanks

Marvin Rhoads · ‎10-18-2022

@Azlan.my07 change the type of NAT to Dynamic and deploy.

Azlan.my07 · ‎10-19-2022

@Marvin Rhoads Thank you so much, Marvin, it now works after changing to Dynamic. Thank you for helping, I'm glad learn something today.

Marvin Rhoads · ‎10-19-2022

You're welcome.

As a general rule, static NAT is only for 1-1 mapping of an inside address to an outside address.