topic ASA5506 with FTD - Remote Access IPsec? in Network Security

ASA5506 with FTD - Remote Access IPsec?

train_wreck — Fri, 21 Feb 2020 16:39:03 GMT

I am considering re-flashing my ASA5506 from ASA to FTD. I am reading that there is a license required for Remote Access VPN operation, but all documents mention SSL (or "Anyconnect"). Right now using the "traditional" ASA OS, my ASA has no problem running an IKE-based IPsec Remote Access VPN.

Does an ASA with FTD support Remote Access VPN via IPsec? If I upgrade to FTD, will I have to purchase a new license just to use this feature I'm already using? The documentation doesn't mention it, but I would find it exceptionally hard to believe it's not available.....

FirePOWER

Re: ASA5506 with FTD - Remote Access IPsec?

Abheesh Kumar — Fri, 11 Jan 2019 08:58:36 GMT

Hi,
What is the current license in ASA.
FTD supports remote access VPN not the traditional client VPN.

HTH
Abheesh

Re: ASA5506 with FTD - Remote Access IPsec?

train_wreck — Fri, 11 Jan 2019 09:00:46 GMT

The Running Activation Key feature: 2 security contexts exceed the limit on the platform, reduced to 0 security contexts.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

The flash permanent activation key is the SAME as the running permanent key.

What do you mean when you say "FTD supports remote access VPN not the traditional client VPN."..... this is unclear.

Re: ASA5506 with FTD - Remote Access IPsec?

Abheesh Kumar — Fri, 11 Jan 2019 09:45:10 GMT

Hi,

Your current license cannot be used in FTD. By default you can use 2 anyconnect license

As FTD required Smart license you need to register FTD with cisco smart license portal.

HTH

Abheesh

Re: ASA5506 with FTD - Remote Access IPsec?

train_wreck — Fri, 11 Jan 2019 09:46:00 GMT

*sigh* I'm not trying to use AnyConnect, I'm trying to use IPsec.....

Re: ASA5506 with FTD - Remote Access IPsec?

Abheesh Kumar — Fri, 11 Jan 2019 09:51:43 GMT

IPsec is the protocol you are using. For connecting you should use anyconnect or site to site VPN.
Are you using site to site VPN

Re: ASA5506 with FTD - Remote Access IPsec?

train_wreck — Fri, 11 Jan 2019 09:55:57 GMT

No, I am using the built-in IPsec client that comes with many devices/OSes (Android, iOS, OSX, Linux, etc) to connect Remote-Access style to my ASA. I would specifically like to avoid using AnyConnect.

If I'm understanding you correctly, you are saying that FTD will not support me using those built-in clients to connect to a Remote Access VPN - AnyConnect is the only option?

Re: ASA5506 with FTD - Remote Access IPsec?

Dan Eyster — Mon, 14 Jan 2019 17:34:42 GMT

You can use IPSec IKEv2 in FTD, but not IPSec IKEv1. More information here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/firepower_threat_defense_remote_access_vpns.pdf