cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1646
Views
8
Helpful
23
Replies

VPN Anyconnect on FTD via FDM

jebanks
Level 1
Level 1

Hi Team:

Am currently deploying some FTD 1120 in redundancy mode but am having some issues with anyconnect. Currently am able to browse the net but I cannot access my internal nodes that I want to access via the tunnel. I can see my anyconnect profile has the private network on the secure path but am not reaching them. Any thoughts why this is happening? What am i configuring wrong? Also in the FTD configuring RA VPN via FDM shouldn't it create a nat in Policies>NAT? I ask cause am not seeing it

1 Accepted Solution

Accepted Solutions

@jebanks you will need a NAT exemption rule to ensure traffic is not unintentially translated behind the outside interface. Example:

RobIngram_0-1689192436296.png

 

 

View solution in original post

23 Replies 23

@jebanks you will need a NAT exemption rule to ensure traffic is not unintentially translated behind the outside interface. Example:

RobIngram_0-1689192436296.png

 

 

@Rob Ingram Is it a bug or something that when using the process of creating a connection profile on the FTD via FDM that it does not create the nat exemption? cause i thought it would

It no bug 

How FTD your internal subnet that you want to access so that it automatically add NAT.

That why you need manually add it

@jebanks well it's certainly part of the wizard when configuring the connection profile.

RobIngram_0-1689187418721.png

Even if you don't configure the NAT exemption rule as part of the wizard, you can create NAT rule as per the first example I provided.

 

would this be correct for exempt nat in FTD

jebanks_1-1689192067971.png

 

@jebanks it looks incorrect. I assume "ALLOWED_ANYCO" represents the internal network? And "AnyConnect_Pool" is the RAVPN IP address pool.

In which case change the original destination address to "AnyConnect_Pool" and change the source address of the translated packet to "ALLOWED_ANYCO".

FYI -

The source address of the original packet is the LAN networks
The destination address of the original packet is the RAVPN network
The source address of the translated packet is the LAN network
The destination address of the translated packet is the RAVPN network.

The source interface is inside and the destination interface is outside, which are correct in your screenshot.

 

@Rob Ingram @MHM Cisco World  thank you. That is what i was doing in the beginning but was getting an error. had to delete and add it back and now its accepted but I still cannot ping the private addresses when i remote vpn

jebanks_0-1689196439829.png

I was trying to added some ACL to see if that is the issue but seems its not. Atleast i know my nat is good now.

do you have valid RA licenses? 

Yes i do. Have the Plus

so in smart license it green enabled.
show vpn-sessiondb anyconnect <<- share this please 

 show vpn-sessiondb anyconnect 
 
Session Type: AnyConnect
 
Username     : jerry.ebanks           Index        : 24
Assigned IP  : 10.70.70.1             Public IP    : 190.197.19.242
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384
Bytes Tx     : 194105                 Bytes Rx     : 80113
Group Policy : DfltGrpPolicy          Tunnel Group : HRCU_ANYCONNECT
Login Time   : 14:22:09 UTC Thu Jul 13 2023
Duration     : 1h:54m:10s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 000000000001800064b00891
Security Grp : none                   Tunnel Zone  : 0
 
 

That ok' your anyconnect is get IP and active.

Now 

Only config two acl

Inside to outside 

And 

Outside to inside 

Allow internal to connect to anyconnect vpn and vpn to connect to internal 

Yes did that but I think its my routing and windows firewall. I have one way ping at the moment. Checking those at the moment

Glad this issue finally solved 

Have a nice day friend 

MHM