Route Internet Through VPN - FTD

Scott_22 · ‎06-23-2020

What needs to happen to route all internet traffic through a site to site tunnel with the exception of a couple of subnets that should route normally? This is utilizing the Firepower 4100 platform.

Marvin Rhoads · ‎06-23-2020

Assuming the "normally routed" subnets also need to transit the VPN to reach the remote site, you would require Policy-based routing (PBR). Normal routing is based on the destination address. You need to add the source address in the criteria.

Here's a decent guide that steps you through how to do it:

https://www.slideshare.net/redouanemeddane/policybased-routing-using-flexconfig-firepower-threat-defense

(The Cisco configuration guide is a bit weak in this area.)

Scott_22 · ‎06-24-2020

This is perfect! If I'm using this for VPN traffic, is the route-map still assigned to the outside interface used to establish the tunnel? Also, is a 2nd rule needed to route all other traffic normally, or does a single rule suffice?

Scott_22 · ‎06-25-2020

After discussing this with TAC, it was determined that the best method is as follows:

Create an extended ACL with the following two entries:

1. Deny - Denies traffic that should be routed from the source to destination traffic through normal means

2. Allow - Allows all traffic that is not denied access to traverse the tunnel

This ACL is then applied to the Site to Site tunnel - think crypto map ACL in ASA code.

We are working to deploy this configuration now and I will post my results.

mohamed_farok · ‎07-26-2020

how you can make this ACL on FTD