Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2742
Views
0
Helpful
10
Replies

FDM VPN with Dual ISP

axiollc
Level 1
Level 1

‎12-12-2020 09:38 AM

Wanted to ensure I have an FTD FP 1140 on FDM 6.7 configured properly for Anyconnect VPN authenticating through an RSA server on the inside lan @ .254 for OTP fob auth for both Outside interfaces (two separate ISP links), should one be unavailable.  We currently have an ASA 5515x configured for same, but the FDM config is new and I hoping for a review to confirm this 1140 will allow connections to the VPN through either outside interface.

 

PS the outside interfaces are shutdown because this device isn't in production yet.

 

: Hardware: FPR-1140, 5279 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (16 cores)
:
NGFW Version 6.7.0
!
hostname firepower
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
ip local pool ClientVpn 192.168.168.0-192.168.168.255 mask 255.255.255.0

 

!
interface Ethernet1/1
shutdown
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address x.x.x.130 255.255.255.240
!
interface Ethernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet1/3
nameif hotair
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
nameif outside2
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address y.y.y.195 255.255.255.248
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group Domain-Internal-DNS
name-server 192.168.0.240
name-server 192.168.0.6
domain-name Domain.internal
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
dns server-group CustomDNSServerGroup
name-server c.c.c.1
name-server c.c.c.2
object network ClientVpn
subnet 192.168.168.0 255.255.255.0
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network OutsideIPv4DefaultRoute
subnet 0.0.0.0 0.0.0.0
object network OutsideIPv4Gateway
host x.x.x.129
object network EmailFilter
host 192.168.0.252
object network Email2
host 192.168.0.7
object network |x.x.x.133
host x.x.x.133
object network Email1
host 192.168.0.241
object network DomainDNS
host 192.168.0.240
object network |x.x.x.132
host x.x.x.132
object network |x.x.x.131
host x.x.x.131
object network WebPlatform
host 192.168.2.25
object network DomainDNS2
host 192.168.0.6
object network SLAMonitorGoogleDNS
host 8.8.8.8
object network Outside2IPv4Gateway
host y.y.y.193
object network Outside2IPv4DefaultRoute
subnet 0.0.0.0 0.0.0.0
object network websantity
host a.a.a.251
object network alis_managment_1
host b.b.b.144
object network |y.y.y.197
host y.y.y.197
object network LAN
subnet 192.168.0.0 255.255.255.0
object network Hotair
subnet 192.168.2.0 255.255.255.0
object service _|NatOrigSvc_738f0cf3-324c-11eb-bc48-47090f5e2616
service tcp destination eq https
object service _|NatMappedSvc_738f0cf3-324c-11eb-bc48-47090f5e2616
service tcp destination eq https
object service _|NatOrigSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38
service tcp destination eq https
object service _|NatMappedSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38
service tcp destination eq https
object service _|NatOrigSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74
service tcp destination eq https
object service _|NatMappedSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74
service tcp destination eq https
object network PostOak
host 192.168.0.243
object network WillowOak
host 192.168.2.25
object network |y.y.y.195
host y.y.y.195
object service _|NatOrigSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9
service tcp destination eq smtp
object service _|NatMappedSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9
service tcp destination eq smtp
object-group service |acSvcg-268435457
service-object ip
object-group service |acSvcg-268435459
service-object tcp destination eq https
object-group service |acSvcg-268435460
service-object tcp destination eq https
object-group service |acSvcg-268435461
service-object tcp destination eq www
object-group service |acSvcg-268435462
service-object tcp destination eq https
object-group service |acSvcg-268435463
service-object udp destination eq domain
object-group network |acSrcNwg-268435463
network-object object DomainDNS2
network-object object DomainDNS
object-group service |acSvcg-268435458
service-object tcp destination eq smtp
object-group service |acSvcg-268435464
service-object tcp destination eq smtp
object-group service |acSvcg-268435465
service-object tcp destination eq www
service-object tcp destination eq https
object-group network NGFW-Remote-Access-VPN|natIpv4Grp
network-object object Hotair
network-object object LAN
object-group network NGFW-Remote-Access-VPN|natIpv4PoolGrp
network-object object ClientVpn
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside2 any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Https_Sanderling
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 object any-ipv4 ifc inside object Sanderling rule-id 268435459
access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: Https_Email2
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 object any-ipv4 ifc inside object Email2 rule-id 268435460
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: Http
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc inside object any-ipv4 ifc outside object any-ipv4 rule-id 268435461
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc inside object any-ipv4 ifc outside2 object any-ipv4 rule-id 268435461
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: Https
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc inside object any-ipv4 ifc outside object any-ipv4 rule-id 268435462
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc inside object any-ipv4 ifc outside2 object any-ipv4 rule-id 268435462
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Dns
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc inside object-group |acSrcNwg-268435463 ifc outside object any-ipv4 rule-id 268435463
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc inside object-group |acSrcNwg-268435463 ifc outside2 object any-ipv4 rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: Smtp_EmailFilter
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 any ifc inside object EmailFilter rule-id 268435458
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: Smtp_EmailFilter_Out
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc inside any ifc outside any rule-id 268435464
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc inside any ifc outside2 any rule-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 268435465: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435465: L5 RULE: Https_Http_out
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435465 ifc inside any ifc outside any rule-id 268435465
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435465 ifc inside any ifc outside2 any rule-id 268435465
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu diagnostic 1500
mtu inside 1500
mtu hotair 1500
mtu outside2 1500
mtu outside 1500
no failover
no monitor-interface hotair
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (inside,outside) source dynamic any-ipv4 interface
nat (outside,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_738f0cf3-324c-11eb-bc48-47090f5e2616 _|NatMappedSvc_738f0cf3-324c-11eb-bc48-47090f5e2616
nat (outside,outside) source static any any destination static |x.x.x.131 Email1 service _|NatOrigSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38 _|NatMappedSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38
nat (outside2,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74 _|NatMappedSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74
nat (outside2,inside) source static any any destination static any-ipv4 EmailFilter service _|NatOrigSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9 _|NatMappedSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9
!
object network any-ipv4
nat (outside,inside) static EmailFilter service tcp smtp smtp
access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1 track 1
route outside2 0.0.0.0 0.0.0.0 y.y.y.193 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server RSAGroup protocol radius
aaa-server RSAGroup host 192.168.0.254
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
http ::/0 inside
ip-client outside ipv6
ip-client outside
ip-client outside2 ipv6
ip-client outside2
ip-client hotair ipv6
ip-client hotair
ip-client inside ipv6
ip-client inside
ip-client diagnostic ipv6
ip-client diagnostic
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
sla monitor 360158793
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
sla monitor schedule 360158793 life forever start-time now
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint penguin
enrollment terminal
crl configure
crypto ca trustpoint Penguin.Domain.tld
enrollment terminal
crl configure
crypto ca trustpoint DefaultInternalCertificate
enrollment terminal
keypair DefaultInternalCertificate
crl configure
crypto ca trustpool policy
crypto ca certificate chain DefaultInternalCertificate
certificate 09
308203eb 308202d3 a0030201 02020109 300d0609 2a864886 f70d0101 0b050030
quit
!
track 1 rtr 360158793 reachability
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.80-192.168.0.98 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point DefaultInternalCertificate outside
webvpn
port 6666
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/anyconnect-win-4.7.04056-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnpkgs/anyconnect-macos-4.7.04056-webdeploy-k9.pkg 3
anyconnect profiles defaultClientProfile disk0:/anyconncprofs/defaultClientProfile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
webvpn
anyconnect ssl dtls none
anyconnect profiles value defaultClientProfile type user
group-policy VPN_Group_Policy1 internal
group-policy VPN_Group_Policy1 attributes
banner value You are connected.
dns-server value 192.168.0.240 192.168.0.6
dhcp-network-scope none
vpn-simultaneous-logins 1
vpn-idle-timeout 90
vpn-idle-timeout alert-interval 1
vpn-session-timeout 540
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-dns none
split-tunnel-all-dns disable
client-bypass-protocol disable
msie-proxy method no-modify
vlan none
address-pools none
ipv6-address-pools none
webvpn
anyconnect ssl dtls none
anyconnect mtu 1406
anyconnect ssl keepalive none
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles value defaultClientProfile type user
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting
dynamic-access-policy-record DfltAccessPolicy
tunnel-group VPN_Profile_1 type remote-access
tunnel-group VPN_Profile_1 general-attributes
address-pool ClientVpn
authentication-server-group RSAGroup
authorization-server-group RSAGroup
accounting-server-group RSAGroup
default-group-policy VPN_Group_Policy1
tunnel-group VPN_Profile_1 webvpn-attributes
group-alias VPN_Profile_1 enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect snmp
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
app-agent heartbeat interval 1000 retry-count 3
snort preserve-connection
Cryptochecksum:1f63ee57e435112b74dc5d82e9c221e1
: end

Labels:
0 Helpful
10 Replies 10

Rob Ingram
VIP
VIP

‎12-12-2020 10:25 AM

@axiollc 

You don't have webvpn enabled on outside2, just outside interface.

webvpn
port 6666
enable outside

You also don't appear to have a NAT exemption rule from inside to outside2 once the ISP has failed over.

 

I assume your AnyConnect profile has the secondary ISP interface IP address or FQDN configured as a backup server?

 

HTH

0 Helpful

axiollc
Level 1
Level 1
In response to Rob Ingram

‎12-12-2020 10:35 AM

I must review and compare our config on our existing ASA 5515, but I set this up using the FDM GUI primarily and only grabbed the cli config for posting here.  Yes, the AnyConnect has a fqdn that round-robins between the two (basically two public IP DNS A records for the same fqdn); our existing ASA works for VPN connections inbound to either outside interface, yet I'm not aware of what a NAT exemption rule is, but I'll look into it.  Thank you for your feedback! 

0 Helpful

axiollc
Level 1
Level 1
In response to Rob Ingram

‎12-28-2020 09:07 AM

I do not see how to add the outside2 interface to the webvpn config.  The FDM gui doesn't seem to allow enabling more than one interface, and the CLI is sufficiently different from ios and I'm new to the FP 1140 in FDM mode where I'm not sure how to enable it via SSH and CLI.  I'm researching, but please advise if you know how i can enable the second outside2 interface in the webvpn config.  Thank you in advance.

0 Helpful

Rob Ingram
VIP
VIP

‎12-28-2020 10:59 AM

Actually it doesn't look like you can enable RAVPN on more than one interface. I've not read anywhere where it is explictly stated that it is not supported, but in the global settings configuration you can only select one interface and it states the settings apply to all connection profiles.

 

Also it is not possible to use Flexconfig to configure the webvpn settings, as this command is blacklisted.

0 Helpful

axiollc
Level 1
Level 1
In response to Rob Ingram

‎12-28-2020 11:13 AM

Thanks for checking.  Is there another way to configure VPN on this device using AnyConnect? 

This device keeps throwing curveballs.  It's supposed to be a NGFW upgrade device to a client's existing ASA 5515-X, but it didn't support failing over to a second ISP circuit with an SLA monitor as the ASA can until this recent FDM 6.7 update.  Cisco support said we can use FMC to accomplish that though, but that required an FMCv VM machine and additional licensing, which is beyond ridiculous and overkill for a single router.  

0 Helpful

Rob Ingram
VIP
VIP

‎12-28-2020 11:21 AM

Not possible, there doesn't appear to be a workaround, so it appears you are only be able to enable RAVPN on 1 outside interface when using FDM.

 

Either follow TACs suggestion, a FMCv for 2 devices - SF-FMC-VMW-2-K9 is pretty cheap. Alternatively reimage the device to use ASA code on the FPR hardware, a backwards step though. Neither option is ideal for you.

0 Helpful

axiollc
Level 1
Level 1
In response to Rob Ingram

‎12-28-2020 11:43 AM - edited ‎12-28-2020 02:43 PM

Lovely. Nothing but unexpected surprises from this product.  Thank you so much for your input.

0 Helpful

axiollc
Level 1
Level 1
In response to Rob Ingram

‎12-28-2020 02:43 PM

Can you confirm we can just use it as an ASA without using FMCv (as we do with the current 5515)?  Assuming that's true, can the FP1140 in ASA mode support IP SLA monitoring like the current ASA 5515 does (and of course supports connections inbound to the VPN on either ISP circuit as the current ASA 5515 also does)? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-28-2020 07:33 PM

@Rob Ingram is correct - an FTD appliance (any model) when managed by FDM (including with CDO) can only be configured with a single outside interface for Remote Access VPN. That is true as of the current latest release (6.7).

While you can run ASA image on a Firepower hardware appliance you will lose all of the NGIPS functionality. ASA image on Firepower hardware does not support adding a Firepower service module.

It does otherwise support all of the classic ASA features (including IP SLA and multiple interfaces for RA VPN) and can be managed via cli or ASDM. No FMC of any type is required (or possible).

0 Helpful

Ronaldo da Silva
Level 1
Level 1
In response to Marvin Rhoads

‎12-20-2021 02:45 PM

Hi Marvin,

 

So does this issue apply to webvpn and anyconnect vpn?

 

Thank you,

 

Ronaldo

0 Helpful
Customers Also Viewed These Support Documents