cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


351
Views
0
Helpful
2
Replies
Highlighted
Beginner

Problem firepower module throught vpn

Good day

 

I have a site to site vpn and i would like manage the firepower module from remote network

but I can not make it work

 

Is This possible?

 

This is my configuration

 

Everyone's tags (1)
2 REPLIES 2
Collaborator

Re: Problem firepower module throught vpn

Hi,

 

You should be able to connect to the module remotely. The firepower module uses the management interface(interface Management1/1).  Connect the management interface to you switch, configure the module with ip address and default gateway for the network you will use for management. You should then be able to connect to the module.

Thanks

John

**Please rate posts you find helpful**
Beginner

Re: Problem firepower module throught vpn

I dont have a switch, so i config a ip in the interface gi0/8, and i connect this interface to mgmt

 

I add a route in the firepower module to remote_network. My vpn is a site to site , I have tried everything but without success

 

Demo-Capa3# show run
: Saved

:
: Serial Number: JAD223605XV
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)27
!
hostname Demo-Capa3
enable password $sha512$5000$KFNKbtm4RMbdzTHV+B1EMQ==$GlnzgT7PSZYvvy6u551Zsw== pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/4
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/5
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
nameif MGMT
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa992-27-lfbff-k8.SPA
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN
subnet 10.10.10.0 255.255.255.0
object network RED_REMOTE_FORTI
subnet 192.168.1.0 255.255.255.192
object network IP_10.10.10.200
host 10.10.10.200
object network Subred_10.10.20.0
subnet 10.10.20.0 255.255.255.0
object network SUB_REMOTE_VPN_ADMIN_SLP
subnet 172.22.1.0 255.255.255.0
object network SUB_REMOTE_VPN_DATOS_SLP
subnet 172.22.10.0 255.255.255.0
object network SUB_REMOTE_VPN_VOZ_SLP
subnet 172.22.100.0 255.255.255.0
object network RED_40
subnet 10.10.40.0 255.255.255.0
object network RED_50
subnet 10.10.50.0 255.255.255.0
object-group network SUBREDES_LOCALES_VPN
network-object object Subred_10.10.20.0
network-object object LAN
object-group service HTTP
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group network SUBREDES_REMOTAS_VPN_SLP
network-object object SUB_REMOTE_VPN_ADMIN_SLP
network-object object SUB_REMOTE_VPN_DATOS_SLP
network-object object SUB_REMOTE_VPN_VOZ_SLP
object-group network SUBREDES_LEON
network-object object LAN
network-object object RED_40
network-object object RED_50
access-list 121_list extended permit ip object-group SUBREDES_LOCALES_VPN object RED_REMOTE_FORTI
access-list OUT-IN extended permit tcp any object IP_10.10.10.200 eq www
access-list VPN-FILTER extended permit ip object RED_REMOTE_FORTI object LAN
access-list VPN-FILTER extended permit ip object RED_REMOTE_FORTI object Subred_10.10.20.0
access-list VPN-SUBREDES_TO_SLP extended permit ip object LAN object-group SUBREDES_REMOTAS_VPN_SLP
access-list TEST extended permit tcp any any eq www
access-list TEST extended permit tcp any any eq https
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu MGMT 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static LAN LAN destination static RED_REMOTE_FORTI RED_REMOTE_FORTI no-proxy-arp route-lookup
nat (inside,outside) source static LAN LAN destination static SUBREDES_REMOTAS_VPN_SLP SUBREDES_REMOTAS_VPN_SLP no-proxy-arp route-lookup
nat (MGMT,outside) source static Subred_10.10.20.0 Subred_10.10.20.0 destination static RED_REMOTE_FORTI RED_REMOTE_FORTI route-lookup
!
object network IP_10.10.10.200
nat (inside,outside) static interface service tcp www 32000
!
nat (MGMT,outside) after-auto source dynamic Subred_10.10.20.0 interface
nat (inside,outside) after-auto source dynamic SUBREDES_LEON interface
access-group OUT-IN in interface outside
route inside 10.10.40.0 255.255.255.0 10.10.10.254 1
route inside 10.10.50.0 255.255.255.0 10.10.10.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication login-history
http server enable
http 10.10.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 MGMT
http 192.168.1.0 255.255.255.0 MGMT
http 10.10.20.0 255.255.255.0 MGMT
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal PHASE2-SLP
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map vpn_site_to_site 1 match address 121_list
crypto map vpn_site_to_site 1 set pfs
crypto map vpn_site_to_site 1 set peer 1.1.1.1
crypto map vpn_site_to_site 1 set ikev1 transform-set FirstSet
crypto map vpn_site_to_site 1 set security-association lifetime seconds 3600
crypto map vpn_site_to_site 2 match address VPN-SUBREDES_TO_SLP
crypto map vpn_site_to_site 2 set peer 2.2.2.2
crypto map vpn_site_to_site 2 set ikev2 ipsec-proposal PHASE2-SLP
crypto map vpn_site_to_site 2 set security-association lifetime seconds 3600
crypto map vpn_site_to_site interface outside
crypto ca trustpool policy
crypto ikev2 policy 20
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 84600
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.10.10.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.10.10.0 255.255.255.0 MGMT
ssh timeout 15
ssh version 1 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access MGMT
vpdn group Telmex request dialout pppoe
vpdn group Telmex localname xxxx@prodigy.net.mx
vpdn group Telmex ppp authentication pap
vpdn username xxxx@prodigy.net.mx password *****

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
dhcpd option 3 ip 10.10.10.1
!
dhcpd address 10.10.10.20-10.10.10.40 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN-SITE-TO-SITE internal
group-policy VPN-SITE-TO-SITE attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username daniel password $sha512$5000$1Jn44qMFkBekjfbH/itnEA==$LsPLYbkCpL0WmzMk0K3L3w== pbkdf2 privilege 15
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
match any
class-map TEST
match access-list TEST
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class global-class
sfr fail-open
class TEST
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b3a8ed93f755d9362486ebb1137254d3
: end