06-06-2017 01:36 AM - edited 02-21-2020 09:18 PM
Dear All,
I planning to change our ASA with Cisco FTD which the new version of Cisco ASA. We planed to build FTD as position of Internet Connection that need Remote VPN for staffs connected. Dose FTD version 6.2.0 support remote VPN such as anyconnect or IP Sec remote VPN? It's the main concern for changing new Firewall.
Thank for value answer.
Best Regards,
Mano
Solved! Go to Solution.
06-06-2017 02:27 AM
No it does not.
FTD 6.2.1 introduced AnyConnect (SSL VPN) support for the FirePOWER 2100 series only.
We expect release 6.2.2 to come out shortly adding that support for the rest of the products that run FTD (ASA 5500-X, FirePOWER 4100 and 9300 series).
Note this initial release has numerous caveats regarding unsupported features with SSL VPN. the 6.2.1 Configuration Guide outlines them here:
http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy
Quoting for the benefit of this thread:
The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported as its own entity, it is only used to deploy the AnyConnect Client.
The following AnyConnect features are not supported when connecting to a Firepower Threat Defense secure gateway:
Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.
AnyConnect Customization and Localization support. The Firepower Threat Defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.
Custom Attributes for the Anyconnect Client are not supported on the Firepower Threat Defense. Hence all features that make use of Custom Attributes are not supported, such as: Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.
Local authentication, VPN users cannot be configured on the Firepower Threat Defensesecure gateway.
Local CA, the secure gateway cannot act as a Certificate Authority
Secondary or Double Authentication
Single Sign-on using SAML 2.0
TACACS, Kerberos (KCD Authentication and RSA SDI
LDAP Authorization (LDAP Attribute Map)
Browser Proxy
RADIUS CoA
VPN Load balancing is not supported.
06-06-2017 02:27 AM
No it does not.
FTD 6.2.1 introduced AnyConnect (SSL VPN) support for the FirePOWER 2100 series only.
We expect release 6.2.2 to come out shortly adding that support for the rest of the products that run FTD (ASA 5500-X, FirePOWER 4100 and 9300 series).
Note this initial release has numerous caveats regarding unsupported features with SSL VPN. the 6.2.1 Configuration Guide outlines them here:
http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy
Quoting for the benefit of this thread:
The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported as its own entity, it is only used to deploy the AnyConnect Client.
The following AnyConnect features are not supported when connecting to a Firepower Threat Defense secure gateway:
Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.
AnyConnect Customization and Localization support. The Firepower Threat Defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.
Custom Attributes for the Anyconnect Client are not supported on the Firepower Threat Defense. Hence all features that make use of Custom Attributes are not supported, such as: Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.
Local authentication, VPN users cannot be configured on the Firepower Threat Defensesecure gateway.
Local CA, the secure gateway cannot act as a Certificate Authority
Secondary or Double Authentication
Single Sign-on using SAML 2.0
TACACS, Kerberos (KCD Authentication and RSA SDI
LDAP Authorization (LDAP Attribute Map)
Browser Proxy
RADIUS CoA
VPN Load balancing is not supported.
06-10-2017 08:31 AM
Thank so much for your value answer
07-04-2017 01:31 AM
Any information (more specific that shortly) about when release 6.2.2 will come
Thanks in advance
08-08-2017 03:12 AM
Cisco hasn't given us a specific date. We were hoping for June, but it's now July and we're still waiting. I didn't get to Cisco Live last week (I attended Mebourne ealier this year) to pester the engineers directly so I haven't gotten any update.
You can setup a notification on the download page for FMC and choose to get a daily, weekly or monthly email notifying you of any new software published for the product.
https://software.cisco.com/download/release.html?mdfid=286259687&release=GeoDB&relind=AVAILABLE&softwareid=286271056&rellifecycle=&reltype=latest
08-09-2017 06:54 PM
The latest info I have is that 6.2.2 is tracking for late August / early September.
01-12-2018 08:20 AM
With the latest FTD image, any of below anyconnect features is supported (checked release notes but found nothing...):
All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.
Local authentication, VPN users cannot be configured on the Firepower Threat Defense secure gateway.
Secondary or Double Authentication
VPN Load balancing is not supported.
02-23-2018 09:30 AM
So you're saying these features are not supported? I wish Cisco would just say what isn't supported. Client requires Dual Authentication, sounds like 6.2.2 doesn't support dual authentication, is this ture?
02-28-2018 03:49 AM
01-12-2018 12:03 PM
SIR PLEASE AM KENNETH AZUBUIKE I WANT TO CONNECT TO THE VPN BUT I DON'T KNOW HOW T0 CREATE MY OWN PASSWORD
SO I CAN ASSESS CUSTOMS ASYCUDA++ FOR NIGERIA CUSTOMS MODBRK PLEASE I NEED HELP ON HOW TO CREATE MY OWN PASSWORD TO LOGIN
07-10-2018 06:33 AM
Can some let me what if XML uploading is mandatory. if yes what exactly i need to fill in Any Connect Profile Editor for creating the XML file.can some one give me an example of XML file.
11-06-2018 08:08 AM
Why would Cisco put a product out without 2-factor? This is not good.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide