03-09-2023 05:09 AM
Hi all
We have remote access VPN setup via Cisco AnyConnect, terminating on the outside interface of the FTD. We also have a site to site VPN in place, from the FTD to a company, and one of the remote access users needs to connect via HTTPS to a server (172.16.x.x) over the site to site VPN while connected via remote access. On the FTD we have routing in place to send traffic destined for the server out of the outside interface of the FTD, ie over the S2S VPN, which is how it should be.
I would expect traffic from the VPN user to hit the firewall on its outside interface then go straight out again, and we have a hairpin rule in place to allow exactly that. What is happening though is that the incoming traffic is being directed inwards, despite the route telling it to go outwards, hitting the core switch then being routed back to the internal interface of the FTD where it is blocked because there is no inside to outside rule allowing that traffic flow. If I connect to RA VPN and do a traceroute the first hop is the core switch, then it times out.
It appears the FTD is considering the ip address of the server as an internal address despite it being included in the "protected networks" part of the S2S VPN configuration.
Can anyone suggest any configuration that I should check to ensure it flows as expected?
Thanks in advance,
Phil.
03-30-2023 12:40 AM - edited 03-30-2023 12:42 AM
Hi @phil96564 .
Can you please provide more details on how you configured the NAT rule?
Also, can you please provide a networking scheme (a picture or whatever) to understand better the scenario?
Thanks.
Luca
03-30-2023 03:24 AM
It sounds like the issue you're experiencing is related to routing and NAT configuration on your Cisco FTD appliance. Here are some suggestions for troubleshooting the issue:
Verify that the hairpin rule is properly configured: Double-check that the hairpin rule is configured correctly on the FTD appliance. Make sure that the rule allows the necessary traffic to flow between the internal and external interfaces, and that the NAT settings are properly configured.
Check the NAT configuration: Verify that the NAT configuration on the FTD appliance is properly configured. Make sure that the necessary NAT rules are in place to allow the traffic to flow properly between the VPN user and the server over the site-to-site VPN.
Review the routing configuration: Review the routing configuration on the FTD appliance and the core switch to ensure that the traffic is being routed correctly. Make sure that the routes are properly configured to allow the traffic to flow between the VPN user and the server over the site-to-site VPN.
Check the access control policy: Verify that the access control policy on the FTD appliance is properly configured to allow the necessary traffic to flow between the VPN user and the server over the site-to-site VPN.
Enable logging: Enable logging on the FTD appliance and the core switch to help troubleshoot the issue. Check the logs to see if there are any errors or messages related to the traffic flow.
03-30-2023 03:48 AM
think you need NAT (out,out) static <VPN pool> <VPN pool><server subnet > <server subnet>
then you must include the VPN Pool in ACL of S2S VPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide