Remote-access Guide

fdm remote access

by Tillman Bednar II Published 3 years ago Updated 2 years ago
image

You can use the FDM to configure remote access VPN over SSL using the AnyConnect Client sofware. When the AnyConnect Client negotiates an SSL VPN connection with the FTD device, it connects using Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS).

Full Answer

How to set up remote access VPN on FDM?

Go through the Remote Access VPN Wizard on FDM as shown in the image. Create a connection profile and start the configuration as shown in the image. Select the authentication methods as shown in the image.

How do I access the FDM from the LAN?

The FDM is reachable on the 192.168.200.1 from devices on the LAN, but not from the main office network. The Management interface is configured with 192.168.45.45, and “Use the Data interfaces as the gateway”. Nothing is plugged into the physical management port on the FDM.

Can I configure firepower Device Manager access and AnyConnect remote access SSL VPN?

You cannot configure both Firepower Device Manager access (HTTPS access in the management access list) and AnyConnect remote access SSL VPN on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443.

Can't configure FTD via FDM for AnyConnect clients?

Unable to configure FTD via FDM for Anyconnect clients to connect to the external interface while management is opened via the same interface. This is a known limitation of FDM. Enhancement request CSCvm76499 has been filed for this issue. Cisco recommends that you have knowledge of RA VPN configuration on FDM.

image

Remote Access VPN Overview

You can use Firepower Device Manager to configure remote access VPN over SSL using the AnyConnect client sofware.

Licensing Requirements for Remote Access VPN

Your base device license must meet export requirements before you can configure remote access VPN. When you register the device, you must do so with a Smart Software Manager account that is enabled for export-controlled features. You also cannot configure the feature using the evaluation license.

Guidelines and Limitations for Remote Access VPN

Please keep the following guidelines and limitations in mind when configuring RA VPN.

Configuring Remote Access VPN

To enable remote access VPN for your clients, you need to configure a number of separate items. The following procedure provides the end to end process.

Managing the Remote Access VPN Configuration

Remote access VPN connection profiles define the characteristics that allow external users to make a VPN connection to the system using the AnyConnect client.

Monitoring Remote Access VPN

To monitor and troubleshoot remote access VPN connections, open the CLI console or log into the device CLI and use the following commands.

Troubleshooting Remote Access VPNs

Remote access VPN connection issues can originate in the client or in the Firepower Threat Defense device configuration. The following topics cover the main troubleshooting problems you might encounter.

How many devices can FMCv 300 manage?

We introduced the FMCv 300, a larger Firepower Management Center Virtual for VMware. It can manage up to 300 devices, compared to 25 devices for other FMCv instances.

Is ASA 5505 managed locally?

And no, it's managed locally. I have odly anough an ASA 5505 running a site to site vpn near my test FTD device, and if I change the mgmt interface IP to that subnet and directly connect the mgmt interface to that other 5505 I can get in and FDM works great. I just need to get FDM working on the FTD itself over the site-to-site vpn, or over the outside interface. Can you help with that piece?

Does FMC have a dedicated management interface?

FMC has to manage the FTD device via a dedicated management interface. The outside data path interface cannot do dual-duty in that respect.

Is MGMT a gateway?

I have a working solution to meet our needs for this. MGMT interface is using the data interface as the gateway. Then I just go to the LAN IP address and I"m able to manage the device. This is better then over public I think. Then once a site-to-site VPN is established, it works to connect via the inside LAN interface IP, instead of what is deamed the MGMT ip.

Can you connect to a MGMT IP?

Because you have it setup to use the "data interface as the gateway" you won't connect to the MGMT IP for web mgmt, but instead the LAN IP you have configured, either though the bridge interface IP that comes out of the box, or if you removed that and assigned a static to an individual LAN interface.

Is Cisco Secure a partner of IBM?

This month, we're excited to bring awareness to a newly formed partnership between Cisco Secure and IBM. Securing today's dynamic enterprise applications is critical. With hybrid and multi-cloud adoption, traditional network-based security ran into limita... view more

How to view VPN configuration?

Click Device, then click View Configuration in the Site-to-Site VPN group.

How to use a VPN on a computer?

Step 1. Using a web browser, open https://ravpn-address , where ravpn-address is the IP address or hostname of the outside interface on which you are allowing VPN connections. You identify this interface when you configure the remote access VPN. The system prompts the user to log in. Step 2.

What is DTLS in Firepower Threat Defense?

When the AnyConnect client negotiates an SSL VPN connection with the Firepower Threat Defense device, it connects using Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. The client and Firepower Threat Defense device negotiate the TLS/DTLS version to use. DTLS is used if the client supports it.

How to complete a VPN connection?

To complete a VPN connection, your users must install the AnyConnect client software. You can use your existing software distribution methods to install the software directly. Or, you can have users install the AnyConnect client directly from the Firepower Threat Defense device.

What is AnyConnect client profile?

AnyConnect client profiles are downloaded to clients along with the AnyConnect client software. These profiles define many client-related options, such as auto connect on startup and auto reconnect, and whether the end user is allowed to change the option from the AnyConnect client preferences and advanced settings.

How long is a VPN idle?

Idle Timeout —The length of time, in minutes, that the VPN connection can be idle before it is automatically closed, from 1-35791394. The default is 30 minutes. Browser Proxy During VPN Sessions —Whether proxies are used during a VPN session for Internet Explorer web browsers on Windows client devices.

What does it mean when you use data interfaces as a gateway?

If you use the data interfaces as a gateway for the virtual management interface, this configuration also enables usage of the directory for identity policies. If you do not use data-interfaces as the management gateway, ensure that there is a route from the management network to the inside network that participates in the site-to-site VPN connection.

Why leave IP address off of FTD?

Note : The benefit of leaving the IP address off of the diagnostic interface is that you can place the management interface on the same network as any other data interface. If you configure the diagnostic interface, its IP address must be on the same network as the management IP address, and it counts as a regular interface that cannot be on the same network as any other data interfaces. Because the management interface requires internet access for updates, putting the management interface on the same network as an inside FTD interface means you can deploy the FTD with only a switch on the LAN and point the inside interface as the default gateway for the management interface (This just applies when the FTD is deployed in routed mode).

What is FTD in firepower?

The FTD can be installed in a firepower 2100 appliance. The firepower chassis runs its own operating system called FXOS (Firepower eXtensible Operating System) to control basic operations of the device, while the FTD logical device is installed on a module/blade.

What is the default configuration for Firepower 2100?

The default configuration assumes that certain firepower 2100 interfaces are used for the inside and outside networks. Initial configuration will be easier to complete if you connect network cables to the interfaces based on these expectations. To cable the Firepower 2100 series, see the next image.

Can you use FDM and FMC on Firepower 2100?

Note : You cannot use both the FDM and FMC to manage an FTD installed in a firepower 2100. Once the FDM On-Box management is enabled on the firepower 2100 FTD, it won't be possible to use an FMC to manage the FTD, unless you disable the local management and re-configure the management to use an FMC. On the other hand, register the FTD ...

What does ISE do once authentication is successful?

Once authentication is successful ISE sends a Permit packet for authentication and authorization information to FDM.

Does ISE differentiate a Radius request?

A: ISE doesn’t differentiate a RADIUS request for Admin Vs RAVPN users. FDM looks at cisco-avpair attribute to figure out Authorization for Admin access. ISE sends all the attributes configured for the user in both the cases.

What port is allowed in the middle of a firewall?

In case of a firewall is in the middle verify port 1812-1813 is permitted.

Can you try local auth even if you get Access reject or no response?

A: You can try LOCAL auth even if you get Access reject or no response if you have local auth configured 2nd.

Where are both user sessions shown?

A: Both user's sessions are shown in the active user sessions page with the same name . Each entry shows an individual value for the time stamp.

Where are the logs for NGFW?

All the logs related to this feature can be found in /var/log/cisco/ngfw-onbox.log

Can Identity Store be changed to AD?

Note: Identity Store can be changed to AD store if ISE is joined to an Active Directory.

What is FDM in a file?

With FDM you can easily organize downloaded files by their type, placing them in predefined folders. A smart scheduler allows you to start and pause downloading files, as well as perform other actions (launch other applications, establish or hang up connection, etc.) at the set time.

What is Free Download Manager?

Free Download Manager splits files into several sections and downloads them simultaneously, allowing you to use any type of connection at the maximum available speed. With FDM download speed increases, or even more!

Can you read what other community members say about the file you are going to download?

You can read what other community members say about the file you are going to download, right in the program window, and also leave your own opinion about the file you downloaded. In this way FDM users are always warned against useless or malicious files.

Problem

In this article I will focus on ‘Remote Access’ VPN, which for Cisco FTD means using the AnyConnect client. Ive spent years deploying this solution for ASA so it’s a product I know well. As with all things Cisco, there are a couple of things that could trip you up. Let’s get them out of the way first.

Solution

If you haven’t already done so enable the Remote Access VPN licence > Smart Licence > Fire Configuration > RA VPN License > Enable > Change to licence type (mines Apex). Have a coffee and recheck everything is licensed OK.

Cisco FTD Create User (via FDM)

You will need a username and password to authenticate (skip this as you are not using the FTD’s internal user database.) Objects > Users > Add > Supply a username and password > OK

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9