FTD 1120 Remote Access VPN issue

d-satbir · ‎04-29-2025

I've setup Remote Access VPN on FTD 1120 using FDM method. I've used the following link to configure the firewall.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

The issue I'm experiencing is that I can't ping the firewall's wan interface from outside of network and also I can't connect to the VPN.

WAN connection from ISP is directly connected to the FTD and I've configured the static IP address on the outside interface. I've also configured the DNS entry for the VPN on GoDaddy DNS page.

I'm not sure if I'm missing anything here.

Rob Ingram · ‎04-29-2025

@d-satbir you should be able to ping the FTD's interface as default. Is there a device in front of the FTD that could block ICMP or SSL/IPSec?

Can you ping from the FTD CLI to the internet?

Is routing setup correctly via the outside interface?

Can you access the internet through the FTD or is this a dedicated VPN concentrator?

d-satbir · ‎05-01-2025

Is there a device in front of the FTD that could block ICMP or SSL/IPSec?

- Just Comcast modem.

Can you ping from the FTD CLI to the internet?

- Yes I can ping the ISP connection from the FTD CLI.

Is routing setup correctly via the outside interface?

- I've setup default route pointing to ISP.

Can you access the internet through the FTD or is this a dedicated VPN concentrator?

- I can access internet through FTD. The FTD is acting as the gateway for the internal network and also Remote access VPN.

V/R,

S

MHM Cisco World · ‎04-29-2025

RA VPN need mandetory ftd cert., do you have one?

MHM

d-satbir · ‎05-01-2025

Yes I've setup self signed cert.

V/R,

S

d-satbir · ‎06-02-2025

I still haven't been able to figure out this issue and was hoping that someone out there has come across this.

I would appreciate ton if anyone could help and give me some clues.

Thank You.

Regards,

S

Aref Alsouqi · ‎06-03-2025

Could you please share initially the sanitized output of the following commands from the FTD CLI?

show asp table socket
show run webvpn

Also, do you happen to have any inbound rules on this firewall? the issue could also be related to a one-to-one NAT rule that translates all the traffic hitting the FTD outside interface to something in the inside network.

d-satbir · ‎10-13-2025

Hello,

The output of the commands you listed above:

Protocol Socket State Local Address Foreign Address
SSL 000052f8 LISTEN XXX.XXX.XXX.XXX:443 0.0.0.0:*
DTLS 008037f8 LISTEN XXX.XXX.XXX.XXX:443 0.0.0.0:*

> show running-config webvpn
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/cisco-secure-client-win-5.1.7.80-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnpkgs/cisco-secure-client-macos-5.1.7.80-webdeploy-k9.pkg 3
anyconnect profiles <name> disk0:/anyconncprofs/<profile>.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
>

I didn't have the inbound rules on the firewall and neither the one to one NAT rule.

Can someone assist with how the ACL rule and NAT rule should be configured?

Thank You.