Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2610
Views
5
Helpful
5
Replies

Cisco FTD 6.6.1 - VPN management access problem

Go to solution
beejrteek
Level 1
Level 1

‎11-25-2020 06:23 AM

Hi Guys,

I have FTD 6.6.1 with FDM, I configured Remote Access VPN, and everythink working good except for management FTD.

I would like to be able to manage this device after VPN connection. I configured one of data interfaces as a MGMT:

ftd1l# show nameif
Interface Name Security
Ethernet1/2.4 mgmt 0
Ethernet1/2.4 192.168.4.1

I configured management-access command via FlexConfig

ftd1l# sh run | i management
management-access mgmt

 

ftd1# sh run ssh
ssh 192.168.7.0 255.255.255.0 mgmt
ftd1# sh run http
http server enable
http 192.168.7.0 255.255.255.0 mgmt

 

nat (mgmt,outside) source static 192.168.4.0 192.168.4.0 destination static vpnpool vpnpool no-proxy-arp route-lookup

 

But I still can't access to FTD.... 

I have also SW on this subnet 192.168.4.0 with IP 192.168.4.200 and I able to connect it via SSH...

What is wrong on FTD ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
beejrteek
Level 1
Level 1

‎11-30-2020 05:45 AM

This is a BUG in software FDM

 

Below answer from Cisco Engineer:

 

After I have check internally and found that unfortunately it's still not supported to enable manage the device through AnyConnect to the inside interface, there is already a bug has been opened to address this issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926

 

Please refer the below workarounds:

 

  1. Connect and internal computer/server then access the FTD, and this computer/server needs to be added to the encryption domain for the VPN tunnel (such as when we SSH the FTD from the internal switch).
  2. Manage the FDM through the outside interface. SSH/SNMP/HTTPS will be done through the outside interface.
  3. you might consider using FMC to manage the FTD, as FMC has more options and more flexibility to manage the FTD since it's considered a separate device.

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-26-2020 04:16 AM

Is the VPN configured to either be full tunnel or, if split tunnel. include the management subnet?

0 Helpful

Go to solution
beejrteek
Level 1
Level 1
In response to Marvin Rhoads

‎11-26-2020 04:49 AM - edited ‎11-26-2020 10:20 AM

Split tunnel include the management subnet. As I mentioned, any other device in management subnet are accesible via VPN

0 Helpful

Go to solution
beejrteek
Level 1
Level 1

‎11-30-2020 05:45 AM

This is a BUG in software FDM

 

Below answer from Cisco Engineer:

 

After I have check internally and found that unfortunately it's still not supported to enable manage the device through AnyConnect to the inside interface, there is already a bug has been opened to address this issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926

 

Please refer the below workarounds:

 

  1. Connect and internal computer/server then access the FTD, and this computer/server needs to be added to the encryption domain for the VPN tunnel (such as when we SSH the FTD from the internal switch).
  2. Manage the FDM through the outside interface. SSH/SNMP/HTTPS will be done through the outside interface.
  3. you might consider using FMC to manage the FTD, as FMC has more options and more flexibility to manage the FTD since it's considered a separate device.

Go to solution
Alex Ziegelschmied
Level 1
Level 1
In response to beejrteek

‎03-02-2023 05:26 AM

A BUG which is still not fixed yet... interesting.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-30-2020 05:55 AM

Good info. Thanks for sharing the BugID.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card