05-11-2020 12:19 PM
Firepower 1120 -- Software 6.4.0-102
Unable to reach FPR inside interface through AnyConnect VPN.
I can reach the internal network 192.168.1.xxx and all devices on it, except FPR inside interface 192.168.1.254
I cannot ping it or access it via SSH or HTTPS.
Without vpn connection I can access 192.168.1.254 via SSH and HTTPS and can also ping it from internal LAN
This creates a dilemma as i cannot manage the FPR remotely
05-11-2020 03:03 PM - edited 05-11-2020 03:09 PM
Hi,
It's the same command used on the ASA. You will need to apply the command management-access inside - where "inside" is the nameif of your inside interface you are connecting to via SSH/HTTPS over the VPN.
You have to configure this using FlexConfig.
HTH
05-12-2020 02:07 PM
Thank you for the management-access inside suggestion.
I am using the FDM and I cannot figure out how to do this using the FlexConfig.
Please note this is my first experience with the Firepower devices
05-12-2020 02:41 PM - edited 05-13-2020 08:03 AM
If are using FDM to manage FTD 6.4 then you will first need to upgrade to 6.4.0.8, as this command was not previously supported, there is a bug reference here.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq45105
Once you've upgraded to 6.4.0.8, on the FDM UI go to Advanced Configuration
Click FlexConfig Objects
Click + to create new object
Create object as below
Click Ok
Click FlexConfig Policy
From the group list, add the FlexConfig Object previously created
Click Save
Deploy changes to FTD
You should now be able to manage the FTD over a VPN.
HTH
05-13-2020 11:21 AM
05-13-2020 11:24 AM
Forgot to mention, I did upgrade to 6.4.0.8-28
05-19-2020 07:25 AM
ok it was a bug in the upgraded software as to why I could connect on the VPN now.
I had to upgrade using path 6.4.0.8 > 6.5.0 > 6.5.0.4.
Now I can VPN back in successfully and now I can PING the inside interface of the FPR before I could not, but still cannot use HTTPS or SHH. (the Flex Config management-access inside is applied)
So wondering do I have to add anything else to the Flex Config ?
05-19-2020 07:34 AM
Provide a link to bug information for other people that may read this post in the future.
Use platform settings to define which networks can access the FTD and from which interface.
05-19-2020 07:43 AM
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs40531
|
05-20-2020 07:27 AM
05-20-2020 07:28 AM
CISCO TAC confirmed that "management access to the FTD through VPN is not supported, even though it is configured via FlexConfig." Below you will find the link to an Enhancement request for this feature:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926
Also
As of Nov 2018 its not possible to change the default listening port within FDM from the default value of TCP 443. The following enhancement was filed to get this feature added, so that AnyConnect can connect to a custom port:
CSCvi51189 ENH: FDM should allow custom non-UDP/TCP 443 port for webvpn/AnyConnect
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide