Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
606
Views
0
Helpful
2
Replies

Need to terminate anyconnect VPN to another interface

mftsupport
Level 1
Level 1

‎03-18-2020 07:09 PM

Hello,

On our firepower we have an Internet facing outside interface which the system default route is pointing to and we are bringing up another Internet facing interface to solely terminate our anyconnect vpn users.
As far as we understand, the ingress traffic from vpn clients to our required internal resources will work fine however the egress traffic will match with default route going to the old outside interface since it's looking at the public IP addresses on the egress traffic.
Is there any way to point back the VPN users traffic to the same interface they originally terminated without changing the system default route from old outside interface?
We need a response on this ASAP as we need to enable this for many users who should work remotely because of the current COVID-19 crisis.
Thanks

Labels:
0 Helpful
2 Replies 2

Cristian Matei
VIP Alumni
VIP Alumni

‎03-19-2020 07:23 AM

Hi,

 

    I see couple of options, depends which one fits you better:

           1. You could run FTD multi-instance, but you need a 4100/9300 hardware

           2. If you have another layer 3 device in between FTD and ISP, you could do PBR on that intermediate layer3 device

           3. You could configure the default route towards your new ISP (where VPN is terminated) and use PBR to route internal user's traffic to the Internet via the existing primary ISP; you can do this via FlexConfig, not sure if it's supported via SmartCLI

           4. You could keep the default route as it is via the primary ISP, and configure PBR to route all traffic from your internal resources towards the VPN protected subnets towards your secondary/new ISP, where VPN is terminated; if you run full-tunnelling for VPN users, and you allow Internet access through the VPN headend, another PBR would be needed to route traffic sourced from VPN client pool to the Internet via the secondary/new ISP (this is not required, only if you want Internet traffic for VPN users to use the same second provider)

 

Regards,

Cristian Matei.

0 Helpful

jdmedeiros
Level 1
Level 1

‎03-19-2020 03:35 PM

I did something similar on a router. I used route maps. You may be able to use it as well; keep in mind the order of operations. 

0 Helpful
Customers Also Viewed These Support Documents