Firepower IPSEC VPN tunnel issues with Remote ACL

When you work with Cisco Firepower firewall systems, you may come across issues related to ACLs. What happens is Firepower systems drop any remote traffic even if the correct ACLs are in place. To resolve this issue a workaround can be applied. 

The parameter is sysopt connection permit-vpn can be enabled. On ASA systems, this is enabled by default. But not on firepower systems. We will look at how we can enable this parameter on Firepower Device Manager (FDM).

Go to FDM GUI > Device > Advanced Configuration > View Configuration

Click on FlexConfig Objects and click on the ‘+’ icon to create a new FlexConfig object, give it a name

Click on the ‘+’ icon for the ‘Variables’ section. Give the variable any name, and select ‘string’ as its type. Enter ‘sysopt’ (without quotes) as the value, and click ok.

In the template section, type {{vpnSysVar}} connection permit-vpn

Go to Flexconfig policy and add the newly created Flexconfig object. 

Finally, Save and deploy the changes. 

 

Author: Chathura Ariyadasa

A highly talented IT professional with extensive experience and capabilities in performing a variety of IT Security, Computer Networking and IT Help Desk duties and responsibilities in the IT Department.