cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
716
Views
3
Helpful
3
Replies

FTD VPN with Cisco AnyConnect

phil96564
Level 1
Level 1

Hi all

We have remote access VPN setup via Cisco AnyConnect, terminating on the outside interface of the FTD. We also have a site to site VPN in place, from the FTD to a company, and one of the remote access users needs to connect via HTTPS to a server (172.16.x.x) over the site to site VPN while connected via remote access. On the FTD we have routing in place to send traffic destined for the server out of the outside interface of the FTD, ie over the S2S VPN, which is how it should be.

I would expect traffic from the VPN user to hit the firewall on its outside interface then go straight out again, and we have a hairpin rule in place to allow exactly that. What is happening though is that the incoming traffic is being directed inwards, despite the route telling it to go outwards, hitting the core switch then being routed back to the internal interface of the FTD where it is blocked because there is no inside to outside rule allowing that traffic flow. If I connect to RA VPN and do a traceroute the first hop is the core switch, then it times out.

It appears the FTD is considering the ip address of the server as an internal address despite it being included in the "protected networks" part of the S2S VPN configuration.

Can anyone suggest any configuration that I should check to ensure it flows as expected?

Thanks in advance,

Phil.

3 Replies 3

lciccare
Cisco Employee
Cisco Employee

Hi @phil96564 .

Can you please provide more details on how you configured the NAT rule?
Also, can you please provide a networking scheme (a picture or whatever) to understand better the scenario?

Thanks.

Luca

It sounds like the issue you're experiencing is related to routing and NAT configuration on your Cisco FTD appliance. Here are some suggestions for troubleshooting the issue:

Verify that the hairpin rule is properly configured: Double-check that the hairpin rule is configured correctly on the FTD appliance. Make sure that the rule allows the necessary traffic to flow between the internal and external interfaces, and that the NAT settings are properly configured.

Check the NAT configuration: Verify that the NAT configuration on the FTD appliance is properly configured. Make sure that the necessary NAT rules are in place to allow the traffic to flow properly between the VPN user and the server over the site-to-site VPN.

Review the routing configuration: Review the routing configuration on the FTD appliance and the core switch to ensure that the traffic is being routed correctly. Make sure that the routes are properly configured to allow the traffic to flow between the VPN user and the server over the site-to-site VPN.

Check the access control policy: Verify that the access control policy on the FTD appliance is properly configured to allow the necessary traffic to flow between the VPN user and the server over the site-to-site VPN.

Enable logging: Enable logging on the FTD appliance and the core switch to help troubleshoot the issue. Check the logs to see if there are any errors or messages related to the traffic flow.

please do not forget to rate.

 think you need NAT (out,out) static <VPN pool> <VPN pool><server subnet > <server subnet>
then you must include the VPN Pool in ACL of S2S VPN