Re: FTD RA WebVPN with VRF interface

tato386 · ‎10-15-2025

My FTD public facing interfaces are using "front door" VRF setups and I need to enable an interface for RA VPN. From what I have found the challenge is going to be leaking my internal routes to the "front door" VRF interface. I've seen examples using route-maps, dynamic routing protocols, redistribution etc.. so there seems to be several ways to accomplish this. Can anybody recommend a simple, straightforward option for doing this?

Thanks

balaji.bandi · ‎10-15-2025

Check one of the examples (see if that meets your requirement ?)

https://docs.defenseorchestrator.com/cdfmc/t-ravpn-vr-config-example.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-15-2025

@tato386 "You cannot use interfaces that belong to user-defined virtual routers in policy-based site-to-site or remote access VPNs."

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/routing-vrf.html#Cisco_Task.dita_3acfa2ab-105a-4f64-bdc0-43a2f20c1745

tato386 · ‎10-16-2025

"supported only on..." is sometimes not the same as "won't work". is it worth giving it shot to see what happens?

tato386 · ‎10-17-2025

update: FWIW, I setup RA using SSL and EntraID as IdP and enabled on the outside interface which is member of user defined VRF. I used static routes to leak inside networks to VRF and leaked VPN pool to global routing table and it seems to work. Maybe there are some features that don't work with this setup but for our purpose it seems to be working.

Thanks