Re: Full tunnel with Cisco Anyconnect and Firepower

Smitster · ‎09-10-2020

Hi all,

Running a FPR1120 Firepower FDM and have set up a remote access vpn tunnel with Cisco AnyConnect.

Tunnel connects fine and I can access internal resources but no external internet.

Need to maintain a full tunnel (no split tunnelling) and believe I may need to define a nat rule on the fdm to allow the remote access vpn pool back out again through the firewall so it can connect to the internet, but unsure of exactly how I add this on the fdm user interface using the gui?

Thanks in advance,

Rob Ingram · ‎09-10-2020

Hi,

You will need to define an Auto NAT rule with source interface as "outside" and destination interface "outside".

HTH

Smitster · ‎09-12-2020

Hi,

Thanks for the reply.

So I’ve just created an AutoNAT rule, type Dynamic with Source Interface as “Outside“, Destination Interface as “Outside“, Original Address “VPN Pool” and translated address as “interface” but this didn’t seem to work.

I’m guessing one of the settings is incorrect in the above?

Thanks,

Rob Ingram · ‎09-12-2020

That looks correct, you've got a rule in the ACP permitting this outbound traffic?

Please provide the output of "show nat detail" from the CLI and run packet-tracer.

Smitster · ‎09-12-2020

There are 2 ACP rules as follows:

IncomingRule:

Source Zone outside_zone, Network VPNPool, Ports Any, Destination Zone inside_zone, Network InternalNetwork, Ports Any

OutgoingRule:

Source Zone inside_zone, Network VPNPool, Ports Any, Destination Zone outside_zone, Networks Any Ports Any

Show NAT detail as follows:

> show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remot
e-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp
NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 124, untranslate_hits = 142
Source - Origin: 192.168.5.0/24, Translated: 192.168.5.0/24
Destination - Origin: 172.168.5.0/24, Translated: 172.168.5.0/24
2 (inside) to (outside) source dynamic any-ipv4 interface
translate_hits = 5093244, untranslate_hits = 836526
Source - Origin: 0.0.0.0/0, Translated: 192.168.6.2/30
Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface servi
ce tcp https https
translate_hits = 0, untranslate_hits = 7675
Source - Origin: 169.254.1.3/32, Translated: 192.168.5.5/24
Service - Protocol: tcp Real: https Mapped: https
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface
translate_hits = 315858, untranslate_hits = 810
Source - Origin: 169.254.1.3/32, Translated: 192.168.6.2/30
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 131, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 192.168.5.5/24
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 0.0.0.0/32
5 (outside) to (outside) source dynamic VPNPool interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.168.5.0/24, Translated: 192.168.6.2/30
6 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6

translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
7 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
8 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface i
pv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:

Thanks

Rob Ingram · ‎09-12-2020

The first ACP rules will permit RAVPN traffic to communicate with the inside network. The second ACP rule is incorrect, source and destination zones would be outside as per the NAT rule.

E.g. - Source Zone outside_zone, Network VPNPool, Ports Any, Destination Zone outside_zone, Network Any, Ports Any

I assume you have other ACP rules from inside to VPNPool not listed here.

Smitster · ‎09-12-2020

That’s fixed it, thank you.

The VPN speeds seem to be very slow - the site operates a symmetrical 100/100 lease line and the remote connection a 350Mbps broadband line, however internet speed tests through the tunnel is averaging 5Mbps and internal network transfer speeds less than 1Mbps.

Are there any settings the could be affecting this/causing the speed reduction?

Thanks,

Rob Ingram · ‎09-12-2020

What version of FTD are you using? What protocol SSL/TLS or IPSec? What version of AnyConnect?

Ideally to get best performance you use IKEv2/IPSec or DTLS 1.2 (DTLS 1.2 requires FTD 6.6) and AnyConnect version 4.7 or newer.

Smitster · ‎09-12-2020

DTLS was disabled, enabling it solved it, thank you.

Last one from me, is there a way for the URL filtering policies to be applied to the Remote Access VPN users?

Thanks,

Rob Ingram · ‎09-13-2020

Yes, you can apply the policies to the source of the RAVPN network.

Smitster · ‎09-14-2020

So I’ve added a ACP as follows:

Name RAVPNFilter, Action Block, Source Zone Outside Zone, Network VPNPool, Destination Zone OutsideZone, then a list of applications/url categories for blocking.

Couldnt get this to work though. I’ve tried changing source from outsidezone to insidezone as well but no result.

What am I missing?

Thanks,

Smitster · ‎02-16-2021

Hi,

Following up on the above thread as I still haven’t managed to get web filters working on the remote access vpn pool.

I have an ACP block rule that currently has source as inside, network vpnpool, destination outside with a list of url categories for filtering but no result.

Please can someone assist? Thanks

Rob Ingram · ‎02-16-2021

@Smitster

Source Zone for RAVPN network would be the outside not inside.

If access is still somehow working, determine if there is a more specific rule above this rule.

Use system support firewall-engine-debug command from the CLI to confirm when the traffic is permitted which rule is permitted.