Route Remote VPN users back out Firewall for specific Subnets

cparkelnp · ‎01-19-2023

Hello all,

Currently trying to enable our Remote VPN users to route through our primary site and back out for specific subnets. We're using a FTD 2110 running 6.6.5 managed by an FMC running 6.6.5.2

i added the desired subnets to the split-tunnel ACL and added a few variants of NAT (OUTSIDE VPN subnet to OUTSIDE subnet)

I've gotten to this to work on our ASA with hairpinning before but not sure how the FTD handles it.

Thanks!

MHM Cisco World · ‎01-19-2023

there are different between asa and ftd, asa allow vpn by default,

ftd need allow acl for vpn.

Syed Hassan Shah · ‎01-19-2023

Hi ,

Could you please confirm on the following points if you have already configured?

1- Did you bypass the NAT rules for Remote Access VPN's traffic ? ( NAT Exemption should be there for the source or inside interface)
2- Did you ensure the routing of the traffic ? Is it colliding with any other routes in the table and not taking the precedence?
3- Is your DNS flow complete and configured correctly?
4- For split tunneling, you need to by pass the irrelevant traffic and pass only the intended traffic to the specific internal network via the tunnel.

Regards.

Marius Gunnerud · ‎01-20-2023

Without seeing your configuration it is difficult to pinpoint where the issue is. But a few things to verify you have configured correctly:

verify that the twice NAT statement is correct, i.e. the source and destination translations are correct, or that the dynamic NAT for the VPN users is correct.
verify if you need to add an access-list to allow this traffic. on the CLI issue the command show run sysopt If this is disabled (no sysopt connection permit-vpn) then you need to add an access-list allowing this VPN traffic on the outside interface.

--
Please remember to select a correct answer and rate helpful posts