Configure Ftd

  1. Configure Ftd Transparent Mode
  2. Configure Ftd Via Cli
  3. Configure Ftd From Cli
  4. Configure Ftdx3000 For Ft8

Configure an Existing Physical Interface for Switch Port Mode

  1. On the Devices & Services page, click the device you want to configure interfaces for.
  2. In the Management pane on the right, click Interfaces.
  3. On the Interfaces page, select the physical interface you want to modify. In the Action Pane on the right, click the edit icon .
  4. Interfaces configured for switch port mode do not support logical names. If the interface has a logical name, delete it.
  5. Locate the Mode and use the drop-down menu to select Switch Port.
  6. Configure the physical interface for switch port mode:

Configure an intrusion policy as you did in step 9, above. Configure logging connection events generated by the Default Action. If you subscribe to Cisco Security Analytics and Logging, you can send events generated by the default action to a Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. Configure IP on FTD Interface via FMC GUI. Configure an IP on the interface over which the FTD is accessible via SSH or HTTPS. Edit the interfaces which exist as you navigate to the Interfaces tab of the FTD. Note: On FTD devices running software version 6.0.1, the default management interface on the FTD is the diagnostic0/0 interface. FTD VPN One Way VPN Traffic Warning! At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. Configure HTTPS on FTD from the FMC Current Hardware and Software levels. 9300 FXOS = 2.2(2.17) 9300 FTD (Logical Device) = 6.2.2.81. 3500 FMC = 6.2.2 (build 81).Note. No ASA module. Security Module is for FTD. The issue seems to be with setting up exernal authentication. The instructions indicate setting up extermal authencation through FTD.

  • (Optional) Check the Protected Port check box to set this switch port as protected, so you can prevent the switch port from communicating with other protected switch ports on the same VLAN.
    You might want to prevent switch ports from communicating with each other if: the devices on those switch ports are primarily accessed from other VLANs; you do not need to allow intra-VLAN access; and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply this option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
  • For the Usage Type, select Access or Trunk. See Switch Port Mode Interfaces for FTD to determine which port type you need.
    • If you select Trunk, you must select one VLAN interface as the Native TrunkVLAN to forward untagged traffic and at least one Associated VLAN to forward tagged traffic. Click the icon to view the existing physical interfaces. You can select up to 20 VLAN interfaces as associated VLANs.
    • You can create a new VLAN interface set to Access mode by clicking Create new VLAN.
Configure Ftd
  1. Click Save. Confirm that you want to reset the VLAN configuration and reassign an IP address to the interface.
  2. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Related Articles:

In my previous post I gave you some recommendations on why use a VPN. Today I want to explain you how to configure remote access it using a Cisco Firepower Threat Defense (FTD) firewall managed by Firepower Management Center (FMC).

How to configure Remote Access VPN step by step:

Configure

Now we will see how to configure a FTD device, to allow AnyConnect connections and to use an internal Microsoft NPS server for authenticating the users.

  • Windows 10 client
  • Cisco virtual FTD running version 6.6.0
  • Cisco FMC running version 6.6.0

FMC configurations:

Create a new certificate for FTD

On FMC go to “Devices –> Certificates” and click on “Add Certificate”.
On the tab that will be showed please select the FTD where you want to add the certificate and who is enrolling that certificate.
In our guide we are using FMC as internal CA, that it’s a self signed certificate. We are not using a corporate CA or an external CA.
When the certificate is created we can go over and add our radius server on FMC.

Add radius server on FMC

On FMC go to “Object –> Object Management –> Radius Server Group –> Add Radius Server”
I created an object called SRV-NPS-GRP that contains all my Radius servers. For adding the radius server you can just click on “+” and specify your NPS server.
Keep in mind that the key used for adding the new radius server must be used on NPS Radius client. It’s a pre-shared key.

Add pool of addresses for VPN client

On FMC go to “Object –> Object Management –> Address Pools –> Add IPv4 Pools”
You need to specify the subnet that will be used from a VPN client. In the field “IPv4 Address Range” it’s not necessary to specify a subnet but just a range of IP Address. At the end click the save button.

Uploading AnyConnect Images

On FMC go to “Object –> Object Management –> VPN –> AnyConnect File –> Add AnyConnect File”
You need to upload .PKG file that you must download from cisco.com. A client that tries to connect on our firewall with an obsolete AnyConnect version or without it will download our version of software.
Configure Remote Access VPN

Configure Ftd Transparent Mode

On FMC go to “Devices –> VPN –> Remote Access –> Add a new configuration”
Assign the new VPN policy to the firewall and then click “Next”
Cli
On the next configuration menu you must select your Radius group that you have configured before and the IPv4 Address Pools, like the image below. After that you can click “Next”
On the next menu you need to choose the AnyConnect package that you want to use. If you want to enable AnyConnect for MAC please ensure that you have a valid package.

On the next menu you need to select the interface where you have to enable the SSL VPN access and which certificate you need to use for establishing VPN tunnel.
If you enable “Bypass Access Control policy for decrypted traffic” you are not able to perform any kind of filter on Access Policy from incoming VPN traffic.

Ftd
At the end of wizard you are able to see your remote access VPN profile on your FMC.

Configure no NAT policy

The last step needed on FMC is to configure a new NAT policy to avoid that the traffic from the LAN to the VPN client will be natted.

Now you are able to deploy the configuration to you FTD!
We need to perform last steps on Windows NPS before to say that we have finished to configure a remote access VPN on Cisco FTD

Configure Ftd Via Cli

Windows NPS configuration

On the Windows server you must enable the role of Network Policy Server, after that you can configure NPS service.
In my scenario I’m limiting the VPN access only to the user who is a member of a specific Windows Security Group called SG_VPN. In this way you can authorize who can connect via VPN or not.
You need to add a new Radius client on your NPS server, so right-click on “Radius Clients” and select “New”.
In settings you need to specify the FTD firewallIP address and pre-shared key used previously on FMC.

Configure Ftd From Cli

As last step you need to create a new Network Policies for authenticating the VPN user. As you can see in the image below I’m applying a filter on Windows Groups. In this way I can control who can access to my VPN.

We are at the end, so you can launch your AnyConnect client and try to connect to your firewall.

Configure Ftdx3000 For Ft8

I hope that this post about how to configure remote access VPN on Cisco FTD was cool and stay tuned on ITornAgeek for new posts!!!