Remote access VPN on FTD. Getting the tunnel up, but no traffic through it.

itsupport · ‎09-21-2017

Hi.

I am implementing an ASA-5508-X, administered by a vFMC. Both devices were recently upgraded to 6.2.2.0. This now includes remote access VPNs. Yay!

I have managed to struggle through and get this kinda working. A client PC can connect in over the internet just fine, authenticate via RADIUS to a 2008R2 server, and get a DHCPed IP address from the same machine.

Problem I have, is that no traffic seems to be passing through the tunnel. I cannot even ping the internal IP of the firewall itself, or any machine on the local LAN, or get internet connectivity through the VPN tunnel.

NAT and access policies are in place to allow internal machines to see out, so I woud have imagined that these would apply to VPN clients as well. The remote client has an IP in the same range as the internal network machines,

Is there some sort of rules I need to create that apply to VPN clients?

I went to Devices>Device Management>Troubleshooting>Packet tracer, however this does not let me specify that this is VPN traffic.

Any ideas where to go from here?

Marvin Rhoads · ‎09-22-2017

You need to explicitly exempt the VPN client address pool from NAT. They appear as "outside" addresses even though they may be in the same range as an inside subnet.

Also check that your internal routes are being included in what's pushed to the client when connected on VPN.

itsupport · ‎09-25-2017

OK, that makes things even MORE complex. :(

The goal here is for ALL traffic from machines connected via the VPN client to be sent down the tunnel, and any internet connectivity to go through that, being filtered for inappropriate URLs, malware etc. Thus, on the the VPN client, 0.0.0.0/0 is listed as a secured route, which seems correct.

I am currently using the internal DHCP server to dole out IP addresses to the VPN clients, this is the same DHCP server that internal machines use. Thus, 192.168.10.101 might be allocated to a local laptop, while 192.168.10.102 might be a remote VPN client.

I guess I will need incoming VPN traffic to somehow be NATTED out?

Are you suggesting that I should create a new subnet and internal address pool, then assign those IPS to VPN cliensts, rather than using the same range as internal machines?

Marvin Rhoads · ‎09-25-2017

Yes if you are not doing split tunnel then your need a "nat (outside,outside)" sort of rule.

That bit isn't much changed from a standard ASA remote access VPN - just translate the ASA syntax into a Firepower NAT rule.

Whether you use a distinct address pool or not is personal preference. Functionally it can work either way. Some people prefer the separate pool so they can more quickly identify VPN traffic when reviewing the system configuration or logs.

itsupport · ‎09-26-2017

OK, I created a pool of IPs for the Anyconnect clients. Also created NAT rules, and policies to permit traffic. Still no packets going anywhere. Did a packet trace, and got the result below. All looks to be what I would expect, apart from Phase 11. What is the WEBVPN-SVC, and why is it blocking my traffic?

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.10.220 using egress ifc Internal

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Internal,External) source static RangeMalaga RangeMalaga destination static RangeVPN RangeVPN no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Internal
Untranslate 192.168.10.220/80 to 192.168.10.220/80

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435457
access-list CSM_FW_ACL_ remark rule-id 268435457: ACCESS POLICY: Mals - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435457: L7 RULE: Outbound Blocked
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Internal,External) source static RangeMalaga RangeMalaga destination static RangeVPN RangeVPN no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.5.100/80 to 192.168.5.100/80

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:

Result:
input-interface: External
input-status: up
input-line-status: up
output-interface: Internal
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Brian Schultz · ‎04-09-2018

Did you ever get this fixed? I'm also seeing WEBVPN-SVC drop my full tunnel traffic. From the diagnostic-cli, I am seeing aspdrop with no valid adjacency messages. Almost like it doesn't know how to route the Internet traffic back out.

localnetwork · ‎07-17-2018

I am working on testing the FTD and decided to create a VPN profile without Split-Tunnel to test URL Filter etc. In order to allow the VPN subnet to send all traffic via the tunnel I had simply added Dynamic NAT. See the attachment with NAT rule created.