Configure an Existing Physical Interface for Switch Port Mode
- On the Devices & Services page, click the device you want to configure interfaces for.
- In the Management pane on the right, click Interfaces.
- On the Interfaces page, select the physical interface you want to modify. In the Action Pane on the right, click the edit icon .
- Interfaces configured for switch port mode do not support logical names. If the interface has a logical name, delete it.
- Locate the Mode and use the drop-down menu to select Switch Port.
- Configure the physical interface for switch port mode:
Configure an intrusion policy as you did in step 9, above. Configure logging connection events generated by the Default Action. If you subscribe to Cisco Security Analytics and Logging, you can send events generated by the default action to a Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. Configure IP on FTD Interface via FMC GUI. Configure an IP on the interface over which the FTD is accessible via SSH or HTTPS. Edit the interfaces which exist as you navigate to the Interfaces tab of the FTD. Note: On FTD devices running software version 6.0.1, the default management interface on the FTD is the diagnostic0/0 interface. FTD VPN One Way VPN Traffic Warning! At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. Configure HTTPS on FTD from the FMC Current Hardware and Software levels. 9300 FXOS = 2.2(2.17) 9300 FTD (Logical Device) = 188.8.131.52. 3500 FMC = 6.2.2 (build 81).Note. No ASA module. Security Module is for FTD. The issue seems to be with setting up exernal authentication. The instructions indicate setting up extermal authencation through FTD.
- (Optional) Check the Protected Port check box to set this switch port as protected, so you can prevent the switch port from communicating with other protected switch ports on the same VLAN.
You might want to prevent switch ports from communicating with each other if: the devices on those switch ports are primarily accessed from other VLANs; you do not need to allow intra-VLAN access; and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply this option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
- For the Usage Type, select Access or Trunk. See Switch Port Mode Interfaces for FTD to determine which port type you need.
- If you select Trunk, you must select one VLAN interface as the Native TrunkVLAN to forward untagged traffic and at least one Associated VLAN to forward tagged traffic. Click the icon to view the existing physical interfaces. You can select up to 20 VLAN interfaces as associated VLANs.
- You can create a new VLAN interface set to Access mode by clicking Create new VLAN.
- Click Save. Confirm that you want to reset the VLAN configuration and reassign an IP address to the interface.
- Review and deploy now the changes you made, or wait and deploy multiple changes at once.
In my previous post I gave you some recommendations on why use a VPN. Today I want to explain you how to configure remote access it using a Cisco Firepower Threat Defense (FTD) firewall managed by Firepower Management Center (FMC).
How to configure Remote Access VPN step by step:
Now we will see how to configure a FTD device, to allow AnyConnect connections and to use an internal Microsoft NPS server for authenticating the users.
- Windows 10 client
- Cisco virtual FTD running version 6.6.0
- Cisco FMC running version 6.6.0
Create a new certificate for FTD
On the tab that will be showed please select the FTD where you want to add the certificate and who is enrolling that certificate.
In our guide we are using FMC as internal CA, that it’s a self signed certificate. We are not using a corporate CA or an external CA.
Add radius server on FMC
Add pool of addresses for VPN client
Uploading AnyConnect Images
Configure Ftd Transparent Mode
On the next menu you need to select the interface where you have to enable the SSL VPN access and which certificate you need to use for establishing VPN tunnel.
If you enable “Bypass Access Control policy for decrypted traffic” you are not able to perform any kind of filter on Access Policy from incoming VPN traffic.
Configure no NAT policy
The last step needed on FMC is to configure a new NAT policy to avoid that the traffic from the LAN to the VPN client will be natted.
Now you are able to deploy the configuration to you FTD!
We need to perform last steps on Windows NPS before to say that we have finished to configure a remote access VPN on Cisco FTD