cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
3
Helpful
3
Replies

Access control policy in the Remote Access VPN Firepower

raymng
Level 1
Level 1

Hi there,

I am setting up a new Firepower to be used solely for Remote Access VPN purpose.  One interface pointing to the external network, and one interface toward inside network.    All AnyConnect VPN traffic would be pointing to another internal firewall for inspection and routing, and NAT (if needed).

The "ask" is regarding to the access control policy (ACP) on the firepower, is it reasonable to have no rules and 'Default Action' set as "Access Control: Block all traffic"?  Any other consideration I should think about regarding to the ACP configuration?

Thanks in advance.

3 Replies 3

Hi @raymng 

You would need to set the default action to allow if you wish to permit the traffic, not block all. You could select the option to bypass Access Control policy in the VPN configuration, but this only bypasses inbound traffic, so I would just change the ACP than disable this option.

If you are routing the VPN clients internet traffic through the VPN tunnel and routing this via the other firewall you should create a "tunnelled" default route for this traffic, this would apply to the VPN traffic only. Or if this Firepower device is intended to provide internet access for the RAVPN, then you would need a NAT rule for internet access and a NAT exemption rule (to ensure traffic beween the RAVPN clients to the Internal networks is not unintentially translated by the other NAT rule).

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

 

 

No need Prefilter for ra vpn' prefilter tunneled is use for vpn pass through not end in ftd.

ACP have two part 

1- from out to in Zone' 

A- you need ACP if you dont use vpn bypass 

B- you dont need ACP if you use vpn bypass 

2- from in to out 

If you have acp config in IN zone then you need to allow traffic from internal to vpn pool 

MHM

thanks.  I will do some testing myself to ensure I fully understand your info.  Currently, I have VPN bypass enable.