https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4188718#M1076122 <P>Hi Guys,</P><P>I have FTD 6.6.1 with FDM, I configured Remote Access VPN, and everythink working good&nbsp;except for management FTD.</P><P>I would like to be able to manage this device after VPN connection. I configured one of data interfaces as a MGMT:</P><P>ftd1l# show nameif<BR />Interface Name Security<BR />Ethernet1/2.4 mgmt 0<BR />Ethernet1/2.4 192.168.4.1</P><P>I configured management-access command via FlexConfig</P><P>ftd1l# sh run | i management<BR />management-access mgmt</P><P>&nbsp;</P><P>ftd1# sh run ssh<BR />ssh 192.168.7.0 255.255.255.0 mgmt<BR />ftd1# sh run http<BR />http server enable<BR />http 192.168.7.0 255.255.255.0 mgmt</P><P>&nbsp;</P><P>nat (mgmt,outside) source static 192.168.4.0&nbsp;192.168.4.0 destination static vpnpool vpnpool no-proxy-arp route-lookup</P><P>&nbsp;</P><P>But I still can't access to FTD....&nbsp;</P><P>I have also SW on this subnet 192.168.4.0 with IP 192.168.4.200 and I able to connect it via SSH...</P><P>What is wrong on FTD ?</P> Wed, 25 Nov 2020 14:23:07 GMT mikiNet 2020-11-25T14:23:07Z https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4188718#M1076122 <P>Hi Guys,</P><P>I have FTD 6.6.1 with FDM, I configured Remote Access VPN, and everythink working good&nbsp;except for management FTD.</P><P>I would like to be able to manage this device after VPN connection. I configured one of data interfaces as a MGMT:</P><P>ftd1l# show nameif<BR />Interface Name Security<BR />Ethernet1/2.4 mgmt 0<BR />Ethernet1/2.4 192.168.4.1</P><P>I configured management-access command via FlexConfig</P><P>ftd1l# sh run | i management<BR />management-access mgmt</P><P>&nbsp;</P><P>ftd1# sh run ssh<BR />ssh 192.168.7.0 255.255.255.0 mgmt<BR />ftd1# sh run http<BR />http server enable<BR />http 192.168.7.0 255.255.255.0 mgmt</P><P>&nbsp;</P><P>nat (mgmt,outside) source static 192.168.4.0&nbsp;192.168.4.0 destination static vpnpool vpnpool no-proxy-arp route-lookup</P><P>&nbsp;</P><P>But I still can't access to FTD....&nbsp;</P><P>I have also SW on this subnet 192.168.4.0 with IP 192.168.4.200 and I able to connect it via SSH...</P><P>What is wrong on FTD ?</P> Wed, 25 Nov 2020 14:23:07 GMT https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4188718#M1076122 mikiNet 2020-11-25T14:23:07Z https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4189230#M1076147 <P>Is the VPN configured to either be full tunnel or, if split tunnel. include the management subnet?</P> Thu, 26 Nov 2020 12:16:48 GMT https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4189230#M1076147 Marvin Rhoads 2020-11-26T12:16:48Z https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4189250#M1076153 <P>Split tunnel include the management subnet. As I mentioned, any other device in management subnet are accesible via VPN</P> Thu, 26 Nov 2020 18:20:42 GMT https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4189250#M1076153 mikiNet 2020-11-26T18:20:42Z https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4190751#M1076272 <P>This is a BUG in software FDM <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P><P>Below answer from Cisco Engineer:</P><P>&nbsp;</P><P>After I have check internally and found that unfortunately it's still not supported to enable manage the device through AnyConnect to the inside interface, there is already a bug has been opened to address this issue:</P><P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926</A></P><P>&nbsp;</P><P>Please refer the below workarounds:</P><P>&nbsp;</P><OL><LI>Connect and internal computer/server then access the FTD, and this computer/server needs to be added to the encryption domain for the VPN tunnel (such as when we SSH the FTD from the internal switch).</LI><LI>Manage the FDM through the outside interface. SSH/SNMP/HTTPS will be done through the outside interface.</LI><LI>you might consider using FMC to manage the FTD, as FMC has more options and more flexibility to manage the FTD since it's considered a separate device.</LI></OL> Mon, 30 Nov 2020 13:45:00 GMT https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4190751#M1076272 mikiNet 2020-11-30T13:45:00Z https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4190758#M1076274 <P>Good info. Thanks for sharing the BugID.</P> Mon, 30 Nov 2020 13:55:08 GMT https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4190758#M1076274 Marvin Rhoads 2020-11-30T13:55:08Z https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4785938#M1098298 <P>A BUG which is still not fixed yet... interesting. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 02 Mar 2023 13:26:27 GMT https://community.cisco.com/t5/network-security/cisco-ftd-6-6-1-vpn-management-access-problem/m-p/4785938#M1098298 Alex Ziegelschmied 2023-03-02T13:26:27Z