cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

275
Views
0
Helpful
4
Replies
Beginner

Cisco Firepower 2110 DAP configuration. VPN device flexibility.

Not sure if there is a solution out there yet. We recently purchased 2110 for VPN S2S and RA. We don't have ISE as it is out of our budget to house this. We are trying to see how we can control the RA computers that access our VPN. Has anyone found a work around to control only domain devices connect to RA VPN and none other or control device connectivity by MAC etc. Thanks. 

Everyone's tags (4)
4 REPLIES 4
Highlighted
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Cisco Firepower 2110 DAP configuration. VPN device flexibility.

Hi,
You could configure the tunnel-group on the firewall to use "aaa + certificates", then only users authenticated with username/password and connecting from a computer with a certificate trusted by the firewall will be allowed to connect. Issue the certificate from a local PKI (Windows) and distribute the certificate to the computers using GPO.

HTH
Beginner

Re: Cisco Firepower 2110 DAP configuration. VPN device flexibility.

I looked into this as well but we don't have an internal PKI infrastructure. Any other options.. 

Beginner

Re: Cisco Firepower 2110 DAP configuration. VPN device flexibility.

Working on standing one up now...
Hall of Fame Guru

Re: Cisco Firepower 2110 DAP configuration. VPN device flexibility.

I'm not aware of any other way to do this with the current 6.5 FTD release. It's not so hard to setup a Windows CA but managing it can be a bit challenging

As noted in the configuration guide, remote access VPN on FTD has limitations as follows:

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

  • Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.

  • Posture variants such as Hostscan and Endpoint Posture Assessment, and any Dynamic Access Policies based on the client posture.

  • ...<snip>

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here