Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
10
Helpful
4
Replies

FTD with Anyconnect

Go to solution
Maurice Ball
Level 3
Level 3

‎03-13-2022 03:52 AM

I have a customer who is using Cisco Anyconnect for user remote VPN network access on an FTD appliance. The FTD appliance is the secondary firewall on the edge of the network and is connecting to their primary firewall. They would like to route all Anyconnect VPN traffic including Internet traffic through the primary firewall which is connected on the inside interface of the FTD appliance.

 

Is it a way I can point the default route to the primary firewall that is on the inside interface but still allow remote VPN access on the outside interface of the FTD appliance?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Maurice Ball

‎03-13-2022 06:54 AM

Look for Step 10 on page 4 of the document provided by @Rob Ingram.

Another option is to place the Firepower with only one interface in a DMZ of the primary Firewall. Traffic flow would be the following:

 

  1. AnyConnect traffic reaches outside Int of primary firewall
  2. A port-forwarding for TCP/443 and UDP/443 sends the traffic to the FTD
  3. FTP processes the AnyConnect traffic and sends it back through the default-route to the primary firewall
  4. The primary firewall can act on the traffic as needed.

View solution in original post

Go to solution
Maurice Ball
Level 3
Level 3
In response to Karsten Iwen

‎03-13-2022 07:58 AM

Ok, great. Thanks for the help

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-13-2022 03:58 AM

@Maurice Ball if using an FMC to manage the FTD you can select the "tunneled" option, which will define a separate default route for VPN tunneled traffic, routing the traffic to the specified next hop - which maybe different to the default route.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01100100.pdf

 

However this option does not exist as of version 7.1 when managing the FTD local using FDM.

Go to solution
Maurice Ball
Level 3
Level 3
In response to Rob Ingram

‎03-13-2022 05:55 AM

Sorry, but I am not understanding how to make this work based on the article. The VPN user's internal traffic and Internet traffic are both considered to be data traffic.This article states that you are able to create  two default routes one for data and one for management traffic. I do not understand how I can use that configuration in this deployment. Could you please provide more details on how that would work?

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Maurice Ball

‎03-13-2022 06:54 AM

Look for Step 10 on page 4 of the document provided by @Rob Ingram.

Another option is to place the Firepower with only one interface in a DMZ of the primary Firewall. Traffic flow would be the following:

 

  1. AnyConnect traffic reaches outside Int of primary firewall
  2. A port-forwarding for TCP/443 and UDP/443 sends the traffic to the FTD
  3. FTP processes the AnyConnect traffic and sends it back through the default-route to the primary firewall
  4. The primary firewall can act on the traffic as needed.

Go to solution
Maurice Ball
Level 3
Level 3
In response to Karsten Iwen

‎03-13-2022 07:58 AM

Ok, great. Thanks for the help

0 Helpful
Customers Also Viewed These Support Documents