Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3839
Views
0
Helpful
7
Replies

Secondary outside/wan IP address or Nat to itself on FTD via FMC

ibrahimovbahruz
Level 1
Level 1

‎10-13-2019 10:17 AM

Hi all,

 

I have an FTD 6.3 on Firepower 4110.  It is configured in routed mode with "the usual" configuration: outside, inside, DMZ, and serverfarm interfaces/zones with traffic allowed out but not in. I also have AnyConnect services for remote access VPN services.

The Main Difference is that in the outside interface I have 10.x.x.1 private ip address.  Firepower direcly connected  Cisco 6509 via point to point connection. Provider reserved 82.y.y.0/29 pubic IP addresses and via static routing send them to 10.x.x1. 

 

I configured static, dynamic etc NAT's for our needs. They work well.

 

My main difficulty with Anyconnect VPN. From Provider network I can connect to 10.x.x1 private IP via Anyconnect. there is no problem with this. But from the Internet, I can't connect to VPN. because there is no public IP address on the outside interface. 

Could you help me to correctly configure AnyVPN nat rule and Access policy in this situation?

 

Labels:
Preview file
9 KB
Preview file
9 KB
0 Helpful
7 Replies 7

Marius Gunnerud
VIP
VIP

‎10-13-2019 12:33 PM

You would need to configure port forwarding on the 6509.  Easiest would be to have a dedicated public IP for AnyConnect, but if you cannot do that, then forware ports tcp/443 and udp/443 to 10.x.x.1.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ibrahimovbahruz
Level 1
Level 1
In response to Marius Gunnerud

‎10-14-2019 10:32 PM

Thank you for your reply. If I will assign the public IP address directly to FTD outside interface it means that the other side of this link on 6509 should be public IP address also. But it's contrary to the company policy. Without ISG there is not would be public IP addresses on interfaces on other devices.
0 Helpful

AndreaTornaghi
Level 1
Level 1

‎10-14-2019 09:45 AM

Is feasible for you to change your design and assign the public subnet directly to FTD's outside interface?

In this way you should be able to use remote access VPN without any kind of problem.

0 Helpful

ibrahimovbahruz
Level 1
Level 1
In response to AndreaTornaghi

‎10-14-2019 11:21 PM

Dear Andrea Tornagi, Thank you for your reply!
If I will assign the public IP address directly to FTD outside interface it means that the other side of this link on 6509 should be public IP address also. But it's contrary to the company policy. Without ISG there is not would be public IP addresses on interfaces on other devices.
0 Helpful

Marius Gunnerud
VIP
VIP
In response to ibrahimovbahruz

‎10-15-2019 12:53 PM

You would not necessarily need the public IP on the 6509, you could just trunk a VLAN straight through to the ISP / next hop router.  another option would be to assign a private IP to the ASA, and then rout that to a VRF on the 6509 that is just for internet and place the public IP and the newly created private IP in that VRF.  Then route all traffic to the ASA and have a default route pointing out the newly created interface IP.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

AndreaTornaghi
Level 1
Level 1
In response to ibrahimovbahruz

‎10-16-2019 12:31 AM

You could use a dedicated VLAN between your ISP and your ASA and remove the layer 3 configuration for public connectivity from your 6509.
In this way you can use your switched network for transport ISP connectivity without configuring any public ip address on 6509.
0 Helpful

Marius Gunnerud
VIP
VIP
In response to AndreaTornaghi

‎10-16-2019 12:49 AM

Isn't that what I already said? 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card