Thank you for the management-access inside suggestion.

I am using the FDM and I cannot figure out how to do this using the FlexConfig.

Please note this is my first experience with the Firepower devices

If are using FDM to manage FTD 6.4 then you will first need to upgrade to 6.4.0.8, as this command was not previously supported, there is a bug reference here.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq45105

Once you've upgraded to 6.4.0.8, on the FDM UI go to Advanced Configuration

Click FlexConfig Objects

Click + to create new object

Create object as below

Click Ok

Click FlexConfig Policy

From the group list, add the FlexConfig Object previously created

Click Save

Deploy changes to FTD

You should now be able to manage the FTD over a VPN.

HTH

Hi Thanks for that detailed step by step instructions. Much appreciated

Now i am getting following error messages when i connect. So it seems maybe further access needs to be granted now.

Forgot to mention, I did upgrade to 6.4.0.8-28

ok it was a bug in the upgraded software as to why I could connect on the VPN now.

I had to upgrade using path 6.4.0.8 > 6.5.0 > 6.5.0.4.

Now I can VPN back in successfully and now I can PING the inside interface of the FPR before I could not, but still cannot use HTTPS or SHH. (the Flex Config management-access inside is applied)

So wondering do I have to add anything else to the Flex Config ?

Provide a link to bug information for other people that may read this post in the future.

Use platform settings to define which networks can access the FTD and from which interface.

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/platform_settings_for_firepower_threat_defense.pdf

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs40531

Bug Search   CSCvs40531 Help  | Feedback AnyConnect 4.8 is not working on the FPR1000 series CSCvs40531   Description Symptom: AnyConnect user is not able to connect to the FTD/ASA and below error is being displayed: The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: Other error The bug is fixed in FTD 6.5.0.4 and 6.6. Conditions: Firewall is deployed on the Firepower 1000 series AnyConnect 4.8 is being used Affected versions: FTD: 6.5.0.1 6.5.0.2 6.4.0.8 ASA 9.13.1.2 Workaround: Downgrade AnyConnect to 4.7 or Downgrade FTD/ASA to the previous version Further Problem Description:

CISCO TAC confirmed that "management access to the FTD through VPN is not supported, even though it is configured via FlexConfig." Below you will find the link to an Enhancement request for this feature:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926

Also

https://community.cisco.com/t5/network-security/fdm-on-ftd-anyconnect-change-port-and-pbr/td-p/3368761

As of Nov 2018 its not possible to change the default listening port within FDM from the default value of TCP 443.  The following enhancement was filed to get this feature added, so that AnyConnect can connect to a custom port:

CSCvi51189  ENH: FDM should allow custom non-UDP/TCP 443 port for webvpn/AnyConnect 

Cisco TAC