cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14315
Views
25
Helpful
11
Replies
Highlighted
Beginner

Cisco Anyconnect VPN on FTD Image

Dear All,

I planning to change our ASA with Cisco FTD which the new version of Cisco ASA. We planed to build FTD as position of Internet Connection that need Remote VPN for staffs connected. Dose FTD version 6.2.0 support remote VPN such as anyconnect or IP Sec remote VPN? It's the main concern for changing new Firewall.

Thank for value answer.

Best Regards,

Mano

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

No it does not.

FTD 6.2.1 introduced AnyConnect (SSL VPN) support for the FirePOWER 2100 series only.

We expect release 6.2.2 to come out shortly adding that support for the rest of the products that run FTD (ASA 5500-X, FirePOWER 4100 and 9300 series).

Note this initial release has numerous caveats regarding unsupported features with SSL VPN. the 6.2.1 Configuration Guide outlines them here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Quoting for the benefit of this thread:

AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported as its own entity, it is only used to deploy the AnyConnect Client.

The following AnyConnect features are not supported when connecting to a Firepower Threat Defense secure gateway:

  • Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.

  • All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.

  • AnyConnect Customization and Localization support. The Firepower Threat Defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

  • Custom Attributes for the Anyconnect Client are not supported on the Firepower Threat Defense. Hence all features that make use of Custom Attributes are not supported, such as: Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.

  • Local authentication, VPN users cannot be configured on the Firepower Threat Defensesecure gateway.

    Local CA, the secure gateway cannot act as a Certificate Authority

  • Secondary or Double Authentication

  • Single Sign-on using SAML 2.0

  • TACACS, Kerberos (KCD Authentication and RSA SDI

  • LDAP Authorization (LDAP Attribute Map)

  • Browser Proxy

  • RADIUS CoA

  • VPN Load balancing is not supported.

View solution in original post

11 REPLIES 11
Highlighted
Hall of Fame Guru

No it does not.

FTD 6.2.1 introduced AnyConnect (SSL VPN) support for the FirePOWER 2100 series only.

We expect release 6.2.2 to come out shortly adding that support for the rest of the products that run FTD (ASA 5500-X, FirePOWER 4100 and 9300 series).

Note this initial release has numerous caveats regarding unsupported features with SSL VPN. the 6.2.1 Configuration Guide outlines them here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Quoting for the benefit of this thread:

AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported as its own entity, it is only used to deploy the AnyConnect Client.

The following AnyConnect features are not supported when connecting to a Firepower Threat Defense secure gateway:

  • Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.

  • All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.

  • AnyConnect Customization and Localization support. The Firepower Threat Defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

  • Custom Attributes for the Anyconnect Client are not supported on the Firepower Threat Defense. Hence all features that make use of Custom Attributes are not supported, such as: Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.

  • Local authentication, VPN users cannot be configured on the Firepower Threat Defensesecure gateway.

    Local CA, the secure gateway cannot act as a Certificate Authority

  • Secondary or Double Authentication

  • Single Sign-on using SAML 2.0

  • TACACS, Kerberos (KCD Authentication and RSA SDI

  • LDAP Authorization (LDAP Attribute Map)

  • Browser Proxy

  • RADIUS CoA

  • VPN Load balancing is not supported.

View solution in original post

Highlighted

Thank so much for your value answer

Highlighted

Any information (more specific that shortly) about when release 6.2.2 will come out ?

Thanks in advance

Highlighted

Cisco hasn't given us a specific date. We were hoping for June, but it's now July and we're still waiting. I didn't get to Cisco Live last week (I attended Mebourne ealier this year) to pester the engineers directly so I haven't gotten any update. 

You can setup a notification on the download page for FMC and choose to get a daily, weekly or monthly email notifying you of any new software published for the product.

https://software.cisco.com/download/release.html?mdfid=286259687&release=GeoDB&relind=AVAILABLE&softwareid=286271056&rellifecycle=&reltype=latest

Highlighted

The latest info I have is that 6.2.2 is tracking for late August / early September.

Highlighted

With the latest FTD image, any of below anyconnect features is supported (checked release notes but found nothing...):

  • All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.

  • Local authentication, VPN users cannot be configured on the Firepower Threat Defense secure gateway.

  • Secondary or Double Authentication

  • VPN Load balancing is not supported.

Highlighted

So you're saying these features are not supported?  I wish Cisco would just say what isn't supported.  Client requires Dual Authentication, sounds like 6.2.2 doesn't support dual authentication, is this ture?

Highlighted

please i needed a password for me to connect vpn
Highlighted

SIR PLEASE AM KENNETH AZUBUIKE  I WANT TO CONNECT TO THE VPN BUT I DON'T KNOW HOW T0 CREATE MY OWN PASSWORD 

SO I CAN ASSESS CUSTOMS ASYCUDA++ FOR NIGERIA CUSTOMS MODBRK PLEASE I NEED HELP ON HOW TO CREATE MY OWN PASSWORD TO LOGIN

 

Highlighted

Can some let me what if XML uploading is mandatory. if yes what exactly i need to fill in Any Connect Profile Editor for creating the XML file.can some one give me an example of XML file. 

Highlighted

Why would Cisco put a product out without 2-factor?  This is not good. 

Content for Community-Ad