topic Re: FTD 1120 Remote Access VPN issue in Network Security

FTD 1120 Remote Access VPN issue

d-satbir — Wed, 30 Apr 2025 03:43:32 GMT

I've setup Remote Access VPN on FTD 1120 using FDM method. I've used the following link to configure the firewall.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

The issue I'm experiencing is that I can't ping the firewall's wan interface from outside of network and also I can't connect to the VPN.

WAN connection from ISP is directly connected to the FTD and I've configured the static IP address on the outside interface. I've also configured the DNS entry for the VPN on GoDaddy DNS page.

I'm not sure if I'm missing anything here.

Re: FTD 1120 Remote Access VPN issue

Rob Ingram — Wed, 30 Apr 2025 05:50:04 GMT

@d-satbir you should be able to ping the FTD's interface as default. Is there a device in front of the FTD that could block ICMP or SSL/IPSec?

Can you ping from the FTD CLI to the internet?

Is routing setup correctly via the outside interface?

Can you access the internet through the FTD or is this a dedicated VPN concentrator?

Re: FTD 1120 Remote Access VPN issue

MHM Cisco World — Wed, 30 Apr 2025 06:00:21 GMT

RA VPN need mandetory ftd cert., do you have one?

MHM

Re: FTD 1120 Remote Access VPN issue

d-satbir — Fri, 02 May 2025 00:09:35 GMT

Is there a device in front of the FTD that could block ICMP or SSL/IPSec?

- Just Comcast modem.

Can you ping from the FTD CLI to the internet?

- Yes I can ping the ISP connection from the FTD CLI.

Is routing setup correctly via the outside interface?

- I've setup default route pointing to ISP.

Can you access the internet through the FTD or is this a dedicated VPN concentrator?

- I can access internet through FTD. The FTD is acting as the gateway for the internal network and also Remote access VPN.

V/R,

Re: FTD 1120 Remote Access VPN issue

d-satbir — Fri, 02 May 2025 00:10:23 GMT

Yes I've setup self signed cert.

V/R,

Re: FTD 1120 Remote Access VPN issue

d-satbir — Mon, 02 Jun 2025 23:51:52 GMT

I still haven't been able to figure out this issue and was hoping that someone out there has come across this.

I would appreciate ton if anyone could help and give me some clues.

Thank You.

Regards,

Re: FTD 1120 Remote Access VPN issue

Aref Alsouqi — Tue, 03 Jun 2025 09:05:46 GMT

Could you please share initially the sanitized output of the following commands from the FTD CLI?

show asp table socket
show run webvpn

Also, do you happen to have any inbound rules on this firewall? the issue could also be related to a one-to-one NAT rule that translates all the traffic hitting the FTD outside interface to something in the inside network.

Re: FTD 1120 Remote Access VPN issue

d-satbir — Mon, 13 Oct 2025 16:51:17 GMT

Hello,

The output of the commands you listed above:

Protocol Socket State Local Address Foreign Address
SSL 000052f8 LISTEN XXX.XXX.XXX.XXX:443 0.0.0.0:*
DTLS 008037f8 LISTEN XXX.XXX.XXX.XXX:443 0.0.0.0:*

> show running-config webvpn
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/cisco-secure-client-win-5.1.7.80-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnpkgs/cisco-secure-client-macos-5.1.7.80-webdeploy-k9.pkg 3
anyconnect profiles <name> disk0:/anyconncprofs/<profile>.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
>

I didn't have the inbound rules on the firewall and neither the one to one NAT rule.

Can someone assist with how the ACL rule and NAT rule should be configured?

Thank You.

Re: FTD 1120 Remote Access VPN issue

Aref Alsouqi — Mon, 03 Nov 2025 14:07:19 GMT

So far I can't see any issue from the output you shared. The firewall seems to be listening on port 443/udp and 443/tcp. My recommendation for the next step would be to try to run some packet capture while you're trying to connect with the VPN.

capture PACKCAP interface outside match tcp any host < the outside interface public IP > eq 443

capture PACKCAP interface outside match udp any host < the outside interface public IP > eq 443

show cap PACKCAP

Once you finish remove the capture with the command:

no cap PACKCAP