Solved: Re: VPN Anyconnect on FTD via FDM

jebanks · ‎07-12-2023

Hi Team:

Am currently deploying some FTD 1120 in redundancy mode but am having some issues with anyconnect. Currently am able to browse the net but I cannot access my internal nodes that I want to access via the tunnel. I can see my anyconnect profile has the private network on the secure path but am not reaching them. Any thoughts why this is happening? What am i configuring wrong? Also in the FTD configuring RA VPN via FDM shouldn't it create a nat in Policies>NAT? I ask cause am not seeing it

Rob Ingram · ‎07-12-2023

@jebanks you will need a NAT exemption rule to ensure traffic is not unintentially translated behind the outside interface. Example:

View solution in original post

Rob Ingram · ‎07-12-2023

@jebanks you will need a NAT exemption rule to ensure traffic is not unintentially translated behind the outside interface. Example:

jebanks · ‎07-12-2023

@Rob Ingram Is it a bug or something that when using the process of creating a connection profile on the FTD via FDM that it does not create the nat exemption? cause i thought it would

MHM Cisco World · ‎07-12-2023

It no bug

How FTD your internal subnet that you want to access so that it automatically add NAT.

That why you need manually add it

Rob Ingram · ‎07-12-2023

@jebanks well it's certainly part of the wizard when configuring the connection profile.

Even if you don't configure the NAT exemption rule as part of the wizard, you can create NAT rule as per the first example I provided.

jebanks · ‎07-12-2023

would this be correct for exempt nat in FTD

Rob Ingram · ‎07-12-2023

@jebanks it looks incorrect. I assume "ALLOWED_ANYCO" represents the internal network? And "AnyConnect_Pool" is the RAVPN IP address pool.

In which case change the original destination address to "AnyConnect_Pool" and change the source address of the translated packet to "ALLOWED_ANYCO".

FYI -

The source address of the original packet is the LAN networks
The destination address of the original packet is the RAVPN network
The source address of the translated packet is the LAN network
The destination address of the translated packet is the RAVPN network.

The source interface is inside and the destination interface is outside, which are correct in your screenshot.

jebanks · ‎07-12-2023

@Rob Ingram @MHM Cisco World thank you. That is what i was doing in the beginning but was getting an error. had to delete and add it back and now its accepted but I still cannot ping the private addresses when i remote vpn

I was trying to added some ACL to see if that is the issue but seems its not. Atleast i know my nat is good now.

MHM Cisco World · ‎07-12-2023

do you have valid RA licenses?

jebanks · ‎07-12-2023

Yes i do. Have the Plus

MHM Cisco World · ‎07-12-2023

so in smart license it green enabled.
show vpn-sessiondb anyconnect <<- share this please

jebanks · ‎07-13-2023

show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : jerry.ebanks Index : 24

Assigned IP : 10.70.70.1 Public IP : 190.197.19.242

Protocol : AnyConnect-Parent SSL-Tunnel

License : AnyConnect Premium

Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256

Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384

Bytes Tx : 194105 Bytes Rx : 80113

Group Policy : DfltGrpPolicy Tunnel Group : HRCU_ANYCONNECT

Login Time : 14:22:09 UTC Thu Jul 13 2023

Duration : 1h:54m:10s

Inactivity : 0h:00m:00s

VLAN Mapping : N/A VLAN : none

Audt Sess ID : 000000000001800064b00891

Security Grp : none Tunnel Zone : 0

>

MHM Cisco World · ‎07-13-2023

That ok' your anyconnect is get IP and active.

Now

Only config two acl

Inside to outside

And

Outside to inside

Allow internal to connect to anyconnect vpn and vpn to connect to internal

jebanks · ‎07-13-2023

Yes did that but I think its my routing and windows firewall. I have one way ping at the moment. Checking those at the moment

MHM Cisco World · ‎07-13-2023

Glad this issue finally solved

Have a nice day friend

MHM