cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3229
Views
0
Helpful
26
Replies

Setup VPN Connection Profile and Anyconnect in Firepower 1010

Markflan
Level 1
Level 1

Hi All,

Ive followed a step by step guide to setting up a VPN connection profile in my new 1010 .... in one section ive to create a anyconnect IP pool which is fine and all looked good and the anyconnect is working but bare with me if this is a stupid question. So my internal office network IP range is 192.168.95.x and the newly created VPN Pool IP is 192.168.19.x .... reason its 19 is im not able to create a VPN pool with my exisiting IP ? so obviously this is the reason when i connect via anyconnect app i cant map or browse to my internal network ? but am i missing somthing here to allow this to work ? a rule or how to give the anyconnect my internal IP?
 
 
sorry if this is a trivial thing to most but im not a cisco person but know somethings and definetly not fully up to speed on these Cisco FWs ?
 
thanks so much for any advice
Mark
 
26 Replies 26

@Markflan you probably need a NAT exemption rule to ensure traffic between your internal network and your VPN ip pool is not unintentially translated.

If you are using FDM to manage the device the Remote Access VPN wizard does allow you to configure NAT exemption.

Or you can manually create the NAT rule, example:

RobIngram_0-1695968540747.png

 

Hi @Rob Ingram many thanks for your message i had a NAT rule in already but i setup one same as the sample but still after i connect i cant ping or access my server shares etc ? 

@Markflan  do you have rules in your Access Control Policy (ACP) to permit the traffic? Unlike the ASA by default on the FTD you must explictly permit VPN traffic.

You can run packet-tracer from the CLI to simulate the traffic flow, this will provide a clue where the issue is. Or you can run system support firewall-engine-debug from the CLI, then generate real traffic from your PC, this will confirm which ACP rule the traffic matches.

Markflan_0-1696021744820.png

here is the rule listed 

@Markflan  so that won't work, this will only allow traffic inside the network to communicate outbound. For VPN traffic you need to create a new rule that permits traffic sourced from your VPN IP pool network to the destination of the inside networks.

hi Rob .. thanks for your assistance so ive created a new rule ?

Markflan_0-1696025251974.png

 

@Markflan that looks ok for VPN traffic assuming the objects for "AnyConnect_Pool" and "Internal" represent the respective networks. Have you deployed this and confirmed it's working?

Morning Rob, So i created a new object in my networks with my internal range 192.168.95.0 and as you see there my Anyconnect pool is 192.168.19.0 but still not working ?

Markflan_0-1696071683213.png

 

update.. i went back in and changed the FDM Local network object to be my internal range and it NOW let me put that in .. very odd as that kept failing and wouldnt let me originally .. so now its the 95.x range so ive changed my policy to be that now but still when i connect i cant ping my server or map anything and im sure im missing somthing very simple here !!

@Markflan please provide a screenshot of your NAT rules.

here you go 

Markflan_0-1696073424760.png

and AC

Markflan_1-1696073547098.png

 

 

@Markflan  Is the "FDM_Local_Network" object (used in the NAT and ACP rules) now 192.168.95.0?

I assume the internal network can reach the internet via this FTD?

Run packet-tracer from the CLI to simulate the traffic flow, this will provide a clue where the issue is. Example:

packet-tracer input outside tcp 192.168.19.100 300 192.168.95.10 80 detailed

Or you can run system support firewall-engine-debug from the CLI, then generate real traffic from your PC, this will confirm which ACP rule the traffic matches.

its is indeed 

Markflan_0-1696075786574.png

 

stuck at first hurdle 

Markflan_1-1696078147182.png

 

 

@Markflan use SSH with putty and what about running that other command I previously suggested?