Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
7
Replies

Firepower - accessing FDM management through RA VPN

janslu
Level 1
Level 1

‎08-15-2022 03:48 AM

I want to use VPN RA to access management interface with FDM on Firepower using 7.2.0.1 software. I have set up anyconnect RA and I can successfully access internal servers already, but I can't access the FDM interface... I found earlier discussions and a bug report (now marked as resolved). Is this still an issue or is this just a missing configuration?

As for details:
I am using 192.168.0.x subclass inside. VPN pool is using 10.0.0.x subclass. Management interface is connected by a cable to one of the switch interfaces and is using a dedicated 192.168.0.150 IP. I can connect to it from computers on the same network without an issue, but anyconnect clients can't.

Do I need an ACL to allow access? If so - how should I construct the rule? 

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎08-15-2022 03:52 AM

@janslu use flexconfig to configure "management-access <inside interface>"

0 Helpful

janslu
Level 1
Level 1

‎08-15-2022 04:41 AM

@Rob Ingram I just tried:

added a FlexConfig Object with 'management-access inside' and 'no management-access inside' commands. Saved it and deployed - no change. I can access the FDM on external interface (of course using a specific port to distinguish from VPN access) and after I connect Anyconnect VPN client I can't connect to the management interface (192.168.0.150 and the same specific port). There's just no response... 

0 Helpful

MHM Cisco World
VIP
VIP
In response to janslu

‎08-15-2022 04:46 AM

depend on are you config split tunnel ?

0 Helpful

janslu
Level 1
Level 1

‎08-15-2022 05:15 AM - edited ‎08-15-2022 05:17 AM

Here's the summary of my VPN config:

Screenshot 2022-08-15 at 14.13.58.png

 Thanks for looking at this. I am moving from ASA to Firepower and it's much harder than I anticipated... 

0 Helpful

MHM Cisco World
VIP
VIP
In response to janslu

‎08-15-2022 06:08 AM

so you run split not tunnel all and you config INSIDE only in Split tunnel ?
I think you need to add the management subnet to Split ACL. 
also be sure to also include management subnet in NAT exception.

0 Helpful

janslu
Level 1
Level 1
In response to MHM Cisco World

‎08-15-2022 06:58 AM - edited ‎08-15-2022 07:00 AM

@MHM Cisco World My management is on inside. I am using 192.168.0.0/24 as an inside network. Management IP is 192.168.0.150 and management/1 port is connected by a cable to one of the switch ports inside. And it works well for computers connected to the inside (any of the 192.168.0.X subnet connected to the switch). VPN Pool is configured to use 10.0.0.0/24 subnet and after the connection is established it connects to the inside computers well, but not to the Cisco interface itself. So I can easily connect to an inside server on 192.168.0.10 but I can't get through to the 192.168.0.150 which SHOULD be a management port connected to the same switch. 

I tried adding the 192.168.0.150 Host to split (even though it should be covered by the subnet anyway) and also tried adding it to ACLs and permit 10.0.0.0/24 subnet to access 192.168.0.150 but it didn't help...

0 Helpful

janslu
Level 1
Level 1

‎08-16-2022 07:32 AM

For future reference. This is a confirmed bug. Seems to be fixed in yet unreleased upcoming version. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt73926

0 Helpful
Customers Also Viewed These Support Documents