Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3233
Views
0
Helpful
26
Replies

Setup VPN Connection Profile and Anyconnect in Firepower 1010

Markflan
Level 1
Level 1

‎09-28-2023 03:46 PM

Hi All,

Ive followed a step by step guide to setting up a VPN connection profile in my new 1010 .... in one section ive to create a anyconnect IP pool which is fine and all looked good and the anyconnect is working but bare with me if this is a stupid question. So my internal office network IP range is 192.168.95.x and the newly created VPN Pool IP is 192.168.19.x .... reason its 19 is im not able to create a VPN pool with my exisiting IP ? so obviously this is the reason when i connect via anyconnect app i cant map or browse to my internal network ? but am i missing somthing here to allow this to work ? a rule or how to give the anyconnect my internal IP?
 
 
sorry if this is a trivial thing to most but im not a cisco person but know somethings and definetly not fully up to speed on these Cisco FWs ?
 
thanks so much for any advice
Mark
 
Labels:
0 Helpful
26 Replies 26

Rob Ingram
VIP
VIP

‎09-28-2023 11:26 PM

@Markflan you probably need a NAT exemption rule to ensure traffic between your internal network and your VPN ip pool is not unintentially translated.

If you are using FDM to manage the device the Remote Access VPN wizard does allow you to configure NAT exemption.

Or you can manually create the NAT rule, example:

RobIngram_0-1695968540747.png

 

0 Helpful

Markflan
Level 1
Level 1
In response to Rob Ingram

‎09-29-2023 01:48 PM

Hi @Rob Ingram many thanks for your message i had a NAT rule in already but i setup one same as the sample but still after i connect i cant ping or access my server shares etc ? 

0 Helpful

Rob Ingram
VIP
VIP
In response to Markflan

‎09-29-2023 01:57 PM - edited ‎09-29-2023 02:00 PM

@Markflan  do you have rules in your Access Control Policy (ACP) to permit the traffic? Unlike the ASA by default on the FTD you must explictly permit VPN traffic.

You can run packet-tracer from the CLI to simulate the traffic flow, this will provide a clue where the issue is. Or you can run system support firewall-engine-debug from the CLI, then generate real traffic from your PC, this will confirm which ACP rule the traffic matches.

0 Helpful

Markflan
Level 1
Level 1
In response to Rob Ingram

‎09-29-2023 02:09 PM

Markflan_0-1696021744820.png

here is the rule listed 

0 Helpful

Rob Ingram
VIP
VIP
In response to Markflan

‎09-29-2023 02:13 PM

@Markflan  so that won't work, this will only allow traffic inside the network to communicate outbound. For VPN traffic you need to create a new rule that permits traffic sourced from your VPN IP pool network to the destination of the inside networks.

0 Helpful

Markflan
Level 1
Level 1
In response to Rob Ingram

‎09-29-2023 03:07 PM

hi Rob .. thanks for your assistance so ive created a new rule ?

Markflan_0-1696025251974.png

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Markflan

‎09-29-2023 11:34 PM

@Markflan that looks ok for VPN traffic assuming the objects for "AnyConnect_Pool" and "Internal" represent the respective networks. Have you deployed this and confirmed it's working?

0 Helpful

Markflan
Level 1
Level 1
In response to Rob Ingram

‎09-30-2023 04:03 AM

Morning Rob, So i created a new object in my networks with my internal range 192.168.95.0 and as you see there my Anyconnect pool is 192.168.19.0 but still not working ?

Markflan_0-1696071683213.png

 

0 Helpful

Markflan
Level 1
Level 1
In response to Markflan

‎09-30-2023 04:20 AM

update.. i went back in and changed the FDM Local network object to be my internal range and it NOW let me put that in .. very odd as that kept failing and wouldnt let me originally .. so now its the 95.x range so ive changed my policy to be that now but still when i connect i cant ping my server or map anything and im sure im missing somthing very simple here !!

0 Helpful

Rob Ingram
VIP
VIP
In response to Markflan

‎09-30-2023 04:24 AM

@Markflan please provide a screenshot of your NAT rules.

0 Helpful

Markflan
Level 1
Level 1
In response to Rob Ingram

‎09-30-2023 04:30 AM - edited ‎09-30-2023 04:32 AM

here you go 

Markflan_0-1696073424760.png

and AC

Markflan_1-1696073547098.png

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Markflan

‎09-30-2023 05:03 AM - edited ‎09-30-2023 05:11 AM

@Markflan  Is the "FDM_Local_Network" object (used in the NAT and ACP rules) now 192.168.95.0?

I assume the internal network can reach the internet via this FTD?

Run packet-tracer from the CLI to simulate the traffic flow, this will provide a clue where the issue is. Example:

packet-tracer input outside tcp 192.168.19.100 300 192.168.95.10 80 detailed

Or you can run system support firewall-engine-debug from the CLI, then generate real traffic from your PC, this will confirm which ACP rule the traffic matches.

0 Helpful

Markflan
Level 1
Level 1
In response to Rob Ingram

‎09-30-2023 05:49 AM

its is indeed 

Markflan_0-1696075786574.png

 

stuck at first hurdle 

Markflan_1-1696078147182.png

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Markflan

‎09-30-2023 05:54 AM

@Markflan use SSH with putty and what about running that other command I previously suggested?

0 Helpful
Customers Also Viewed These Support Documents