Route Offloading on FTD for IPSEC VPN

titusroz03 · ‎01-08-2025

We have IPSEC VPN setup(HUB to Spoke), were clients access internet through VPN from Site to HUB(Data centre)

I have a requirement of offloading a certain internet destinations towards internet instead of injecting through VPN tunnel, to offload it directly through local internet.

what are the possibilities to achieve this on cisco FTD 1120

Rob Ingram · ‎01-08-2025

@titusroz03 FTD when managed via FMC has basic SDWAN capabilities, you can setup Direct Internet Access from the spoke sites to route some internet traffic direct rather than through the VPN tunnel. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/usecase/b_wan-deployment/m_direct-internet-access-usecase.html

MHM Cisco World · ‎01-08-2025

Sure you can, what is vpn you have

If it VTI

Then only add new static route in ftd point to Wan interface,

that all

MHM

MHM Cisco World · ‎01-08-2025

Note sure you need NATing.

Thanks

MHM

titusroz03 · ‎01-08-2025

Which one will be easier to achieve this, policy or route based..?

MHM Cisco World · ‎01-08-2025

policy based since you have hub and spoke and you want to direct traffic for specific website via WAN directly instead of forwarding traffic via hub

MHM

Rob Ingram · ‎01-08-2025

l@titusroz03 you said you wanted to " offloading a certain internet destinations towards internet instead of injecting through VPN tunnel" - using the SDWAN functionality you can route some websites/applications (i.e. Teams, Webex, Outlook etc) out the local internet, whilst routing the rest of the traffic over the VPN to the DC.

If you use a traditional Policy Based VPN you need to explictly configure the crypto ACL on which traffic to route over the VPN, anything that is not explictly encrypted would be routed out locally.

d3an.chen · ‎01-08-2025

Hi,

From what I know is that usually the Cisco device use ACL to define the interested network traffic for VPN tunnel. So I think you could remove the destination that you want to offload from that ACL, then it will stop from taking IPSEC tunnel.

Thanks

titusroz03 · ‎02-05-2025

@d3an.chen @Rob Ingram @MHM Cisco World Apologies for leaving this conversation idle for long period, I want to start this again. So our last conclusion was to remove the traffic from crypto ACL to get offloaded and leave others for VPN tunnel. On this point my requirement is just to offload some internet destinations and leave all the other traffic (including other internet) to get through tunnel as encrypted. How can we achieve this in cisco FTD..? My understanding is Deny those destinations in Crypto ACL to get them offloaded..? Correct me if this is wrong and also do I need additional configs for those offloaded destinations like static routing..?

And another question is if the same scenario for Route based VTI, how can I achieve..? Should I point the networks to local offload through static routing to WAN ip..?

Rob Ingram · ‎02-05-2025

@titusroz03 I've not tried it on the FTD at least (only on an ASA) but when configuring the protected networks, select the "Access List (Extended)" in that ACL deny the traffic you don't wish to be encrypted over the VPN and then permit any.

If you use a route based VPN then configure specific routes for the traffic you don't wish to be routed over the VTI via a different next hop.

MHM Cisco World · ‎02-05-2025

sorry I will be busy until Sep.

hope other help you

Goodluck

MHM

titusroz03 · ‎02-06-2025

My requirement along with this local offloading is one of our internal coder Device(192.168.1.7) should be Natted to public IP in bidirectional way such that it can access internet and it can be accessed from internet.

Below are the plans to achieve these two:

If Route based VPN:

configure specific routes for the traffic you don't wish to be routed over the VTI via WAN Ip. And add a bidirectional NAT for the internal coder device and PAT alone for the external destinations which need to be offloaded.

If Policy based VPN:

In Encrypted ACL deny the traffic you don't wish to be encrypted over the VPN and then permit any. Along with this configure the same NAT configs as above.

Could you help me to confirm if my above plan is correct and will work. Correct me if any misses or changes..?