04-03-2020 05:28 PM - last edited on 04-27-2020 09:00 AM by Hilda Arteaga
Español | Português | Français | Русский | 日本語 | 简体中文 |
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.
This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.
To participate in this event, please use the button below to ask your questions
Ask questions from Monday 6 to Friday, April 17, 2020
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
Solved! Go to Solution.
04-11-2020 08:03 PM
Duo free trial will give you limited features:
If you contact your reseller that is a better option. They can arrange a Duo Proof of Value for qualified customers with all features enabled.
04-10-2020 09:20 PM
Hello experts,
We recently purchased cisco FTD 2110 and 1010 for two location in india, Fmc is in limerick and all three connected with site to site vpn. Remote access is working in limerick using local radius server. When we try to connect the india location through remote access by authenicating radius server in limerick its says authenication failure. While trouble shooting i can see , we can ping the radius server from local machine in india but cant reach from FTd 1010.
Looking for solution
Thanks
Gururajan
04-11-2020 04:38 AM
Hi Gururajan,
I need you to clarify what exactly you mean by all three connected via site to site ? As in FMC is the management centre device where you perform the configuration for site to site for the other two FTD's. This is my understanding, please let me know if you mean something else.
Now when you say remote access is working in Limerick, which means accessing FMC itself remotely is working fine.
When you are trying to access the India location, I believe you mean anyconnect connection and not device access, and that anyconnect connection is failing with error "authentication failure".
First of all verify that aaa server is configured correctly on problematic FTD and we can check from the CLI, via the command
"test aaa server" for a specific user to see we have proper reachability to AAA server from the FTD or not.
-
Pulkit
04-11-2020 04:54 AM
HI Punkit,
My FMC , Radius servers are located in Limerick. One FTD 2110 is in chennai and one FTD 1010 is in bangalore. All 3 are interconnected with Site to SIte VPN and i can access the FMC only through Local IP (Limerick IP address).
When i checked try to connect AAA authentication from bangalore FTD CLI.
firepower# test aaa-server authentication BSB_RadiusServer host 192.168.0.198
Username: Gururajan.s
Password: ***********
INFO: Attempting Authentication test to IP address (192.168.0.198) (timeout: 32
ERROR: Authentication Server not responding: No response from server
But from bangalore local PC i can able to reach the Radius server 192.168.0.198 by ping , but when i tried from FTD CLI its not connecting
SO FTD cannot able to reach AAA server(Limerick ), since its connected Via site to site VPN and i cannot able to connect from bangalore.
04-11-2020 09:47 AM
Hello @Gururajansrinivasan32898
FTD will do a route lookup to reach your Radius server, the result will be that is reachable through the outside interface where you have configured the L2L VPN. Most likely that VPN has only defined the subnets from Limerick, Chennai and Bangalore so when the RA clients connect to Chennai and Bangalore those FTD will try to reach the Radius server sourcing the traffic from their Outside IP.
What you need to do is to include the outside IPs of Chennai and Bangalore in the VPN interesting traffic. On Limerick make sure the NAT exemption from the Radius server to the Chennai and Bangalore IPs is in place.
Regards,
Gustavo
04-11-2020 11:30 PM
04-17-2020 04:48 AM
Hello Gustavo,
Can you please provide the document how to enable interesting traffic in outside interface to get the AAA server authenticated.
04-11-2020 02:04 AM
I would like to attach a script that will update the DNS entry for computers connecting via VPN.
(This will make it easier to connect remotely to offer remote help to users).
I would like to add this script to Annyconnect Group created on the FTD ( we are not using ASDM just Firepower instance on ASA 5xxx series).
I am not able to find any documentation regarding adding script on FTD to AnyConnect Profile.
Could you tell me if it is possible?
@Dinesh Moudgil @Pulkit Saxena @Jason Grudier @Gustavo Medina
04-11-2020 03:32 AM
04-11-2020 05:11 AM
Hello @PiotrB ,
As of now, logon scripts are not supported on AnyConnect connecting to an FTD device managed by FMC or FDM because they do not support any customization.
The following AnyConnect features are not supported when connecting to an FTD secure gateway:
Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
Posture variants such as Hostscan and Endpoint Posture Assessment, and any Dynamic Access Policies based on the client posture.
AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.
04-11-2020 10:27 AM
Hi Guys,
As @jgrudier mentioned, we do not support customization yet. This is on the roadmap for 6.8 however, what is not supported is pushing the script to the clients. If you modify the XML profile and push it to the clients along with your OnConnect script to the right location it will work. You can follow the AC admin guide for general understanding of the feature:
@giovanni.augusto When it comes to DNS updates for DHCP how it works is that the ASA/FTD passes in the host name (NOT FQDN, this is an ENH for FQDN)via DHCP and everything else is up to the DHCP server and how it communicates with the DDNS environment.
Something that can be done is is to have Windows clients directly communicate to DDNS servers for registration.
-Gustavo
04-11-2020 06:57 AM
Hi Team.
first of all thank you very much for doing this. you guys rock :).
I have a few questions. we running a FTD 2140 (running FTD image and connected to FMC) generated a csr. which i did on FTD.
openssl genrsa -out FTD1.key 2048
openssl req -new -key FTD1.key -out FTD1.csr
These above command output have been submitted to our public CA. and i have a root.ca, identity ca and .pem file. now how i can use the identity certificate in FTD?
When i give this command i get erro
openssl pkcs12 -export -out FTD1.pfx -inkey FTD1.key -in FTD1.cer -certfile Root.cer
kindly please could you help here.
04-11-2020 08:00 AM - edited 04-11-2020 08:01 AM
Hello Sheraz,
Great to hear from you!
I did a quick test and the following command works for me on FTD
openssl pkcs12 -export -out FTD1.pfx -inkey FTD1.key -in FTD1.cer
Please note I used "Base 64 encoded" format of ID certificate signed by CA.
Can you please confirm what error you get when you attempt to create the .pfx certificate and what is the format of your ID certificate ?
Regards,
Dinesh Moudgil
04-11-2020 08:26 AM - edited 04-11-2020 08:34 AM
Hi Dinesh,
I get this error. no idea what am i missing here.
FTD1:~$ openssl pkcs12 -export -out FTD1.pfx -inkey FTD1.key -in FTD1.cer -certfile Root.cer
No certificate matches private key
I double checked I have
-FTD1:~$ cat FTD1.crt
-----BEGIN CERTIFICATE-----
MIIFJjCCAw4CCQCDyDsSbw5UITANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJH
FTD1:~$ cat FTD1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1v91avgdvjcer+kznBdjRUGmXbqkwlNZl+sV5rMK52OgSUET
FTD1:~$ cat FTD1.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICuzCCAaMCAQAwdjELMAkGA1UEBhMCR0IxEzARBgNVBAgMCkxhbmNhc2hpcmUx
04-11-2020 08:40 AM - edited 04-11-2020 08:59 AM
Hi Sheraz,
It appears that private key that you use in the command is not associated with the certificate you are importing.
Can you please check if the correct files are called in the command?
You don't necessarily need to generate such CSR on FTD. It can be generated on any other device that supports OpenSSL.
I did a test with inclusion of CA cert and that works on FTD as well:
openssl pkcs12 -export -out FTD2.pfx -inkey FTD1.key -in FTD1.cer -certfile CA.cer
The variables that might be different are that I am using .cer extension and Base 64 encoding.
Regards,
Dinesh Moudgil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide