cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
361
Views
10
Helpful
10
Replies
Highlighted
Beginner

Full tunnel with Cisco Anyconnect and Firepower

Hi all,


Running a FPR1120 Firepower FDM and have set up a remote access vpn tunnel with Cisco AnyConnect.

 

Tunnel connects fine and I can access internal resources but no external internet.

 

Need to maintain a full tunnel (no split tunnelling) and believe I may need to define a nat rule on the fdm to allow the remote access vpn pool back out again through the firewall so it can connect to the internet, but unsure of exactly how I add this on the fdm user interface using the gui?

 

Thanks in advance,

10 REPLIES 10
Highlighted
VIP Advisor

Hi,

You will need to define an Auto NAT rule with source interface as "outside" and destination interface "outside".

 

HTH

Highlighted

Hi,

 

Thanks for the reply.

 

So I’ve just created an AutoNAT rule, type Dynamic with Source Interface as “Outside“, Destination Interface as “Outside“, Original Address “VPN Pool” and translated address as “interface” but this didn’t seem to work.

 

I’m guessing one of the settings is incorrect in the above?

 

Thanks,

Highlighted
VIP Advisor

That looks correct, you've got a rule in the ACP permitting this outbound traffic?

Please provide the output of "show nat detail" from the CLI and run packet-tracer.

Highlighted

There are 2 ACP rules as follows:

 

IncomingRule:

 

Source Zone outside_zone, Network VPNPool, Ports Any, Destination Zone inside_zone, Network InternalNetwork, Ports Any

 

OutgoingRule:

 

Source Zone inside_zone, Network VPNPool, Ports Any, Destination Zone outside_zone, Networks Any Ports Any

 

Show NAT detail as follows:

 

> show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remot
e-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp
NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 124, untranslate_hits = 142
Source - Origin: 192.168.5.0/24, Translated: 192.168.5.0/24
Destination - Origin: 172.168.5.0/24, Translated: 172.168.5.0/24
2 (inside) to (outside) source dynamic any-ipv4 interface
translate_hits = 5093244, untranslate_hits = 836526
Source - Origin: 0.0.0.0/0, Translated: 192.168.6.2/30
Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface servi
ce tcp https https
translate_hits = 0, untranslate_hits = 7675
Source - Origin: 169.254.1.3/32, Translated: 192.168.5.5/24
Service - Protocol: tcp Real: https Mapped: https
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface
translate_hits = 315858, untranslate_hits = 810
Source - Origin: 169.254.1.3/32, Translated: 192.168.6.2/30
3 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 131, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 192.168.5.5/24
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 0.0.0.0/32
5 (outside) to (outside) source dynamic VPNPool interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.168.5.0/24, Translated: 192.168.6.2/30
6 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6

translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
7 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
8 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface i
pv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:

 

Thanks

Highlighted
VIP Advisor

The first ACP rules will permit RAVPN traffic to communicate with the inside network. The second ACP rule is incorrect, source and destination zones would be outside as per the NAT rule.

 

E.g. - Source Zone outside_zone, Network VPNPool, Ports Any, Destination Zone outside_zone, Network Any, Ports Any

 

I assume you have other ACP rules from inside to VPNPool not listed here.

Highlighted

That’s fixed it, thank you.

 

The VPN speeds seem to be very slow - the site operates a symmetrical 100/100 lease line and the remote connection a 350Mbps broadband line, however internet speed tests through the tunnel is averaging 5Mbps and internal network transfer speeds less than 1Mbps.

 

Are there any settings the could be affecting this/causing the speed reduction?

Thanks,

Highlighted
VIP Advisor

What version of FTD are you using? What protocol SSL/TLS or IPSec? What version of AnyConnect?

Ideally to get best performance you use IKEv2/IPSec or DTLS 1.2 (DTLS 1.2 requires FTD 6.6) and AnyConnect version 4.7 or newer.

Highlighted

DTLS was disabled, enabling it solved it, thank you.

 

Last one from me, is there a way for the URL filtering policies to be applied to the Remote Access VPN users?

 

Thanks,

Highlighted
VIP Advisor

Yes, you can apply the policies to the source of the RAVPN network.

Highlighted

So I’ve added a ACP as follows:

 

Name RAVPNFilter, Action Block, Source Zone Outside Zone, Network VPNPool, Destination Zone OutsideZone, then a list of applications/url categories for blocking.

 

Couldnt get this to work though. I’ve tried changing source from outsidezone to insidezone as well but no result.

 

What am I missing? 

Thanks,