Configure Ftd

 



In my previous post I gave you some recommendations on why use a VPN. Today I want to explain you how to configure remote access it using a Cisco Firepower Threat Defense (FTD) firewall managed by Firepower Management Center (FMC).

How to configure Remote Access VPN step by step:

Now we will see how to configure a FTD device, to allow AnyConnect connections and to use an internal Microsoft NPS server for authenticating the users.

  • Windows 10 client
  • Cisco virtual FTD running version 6.6.0
  • Cisco FMC running version 6.6.0

Configure Licensing The FTD uses Cisco Smart Software Licensing, which lets you purchase and manage a pool of licenses centrally. When you register the chassis, the License Authority issues an ID certificate for communication between the chassis and the License Authority. In order to configure FTD failover, navigate to Devices Device Management and select Add High Availability as shown in the image. Enter the Primary Peer and the Secondary Peer and select Continue as shown in the image. I am most of the way through implementing an ASA 5508-x, controlled by a vFMC. Both are running 6.2.2.0 of the FTD and FMC software. Since the configuration is quite complex, and I would hate to have to do it all again from scratch, I figured that backing it up would be a good idea. How to configure NSEL (NetFlow) on Cisco Firepower Threat Defense (FTD) using the FlexConfig feature introduced in Firepower Management Center (FMC) software version 6.2 See the attached doc. Note that in a few versions of FTD code, the Flexconfig deployment for NetFlow as given in this document, may fail.

FMC configurations:

Ftd

Create a new certificate for FTD

On FMC go to “Devices –> Certificates” and click on “Add Certificate”.
On the tab that will be showed please select the FTD where you want to add the certificate and who is enrolling that certificate.
In our guide we are using FMC as internal CA, that it’s a self signed certificate. We are not using a corporate CA or an external CA.
When the certificate is created we can go over and add our radius server on FMC.

Add radius server on FMC

On FMC go to “Object –> Object Management –> Radius Server Group –> Add Radius Server”
I created an object called SRV-NPS-GRP that contains all my Radius servers. For adding the radius server you can just click on “+” and specify your NPS server.
Keep in mind that the key used for adding the new radius server must be used on NPS Radius client. It’s a pre-shared key.

Add pool of addresses for VPN client

On FMC go to “Object –> Object Management –> Address Pools –> Add IPv4 Pools”
Configure Ftd
You need to specify the subnet that will be used from a VPN client. In the field “IPv4 Address Range” it’s not necessary to specify a subnet but just a range of IP Address. At the end click the save button.

Uploading AnyConnect Images

On FMC go to “Object –> Object Management –> VPN –> AnyConnect File –> Add AnyConnect File”
You need to upload .PKG file that you must download from cisco.com. A client that tries to connect on our firewall with an obsolete AnyConnect version or without it will download our version of software.
Configure Remote Access VPN
On FMC go to “Devices –> VPN –> Remote Access –> Add a new configuration”

Configure Ftd Ha

Assign the new VPN policy to the firewall and then click “Next”
On the next configuration menu you must select your Radius group that you have configured before and the IPv4 Address Pools, like the image below. After that you can click “Next”
On the next menu you need to choose the AnyConnect package that you want to use. If you want to enable AnyConnect for MAC please ensure that you have a valid package.

On the next menu you need to select the interface where you have to enable the SSL VPN access and which certificate you need to use for establishing VPN tunnel.
If you enable “Bypass Access Control policy for decrypted traffic” you are not able to perform any kind of filter on Access Policy from incoming VPN traffic.

At the end of wizard you are able to see your remote access VPN profile on your FMC.

Configure no NAT policy

The last step needed on FMC is to configure a new NAT policy to avoid that the traffic from the LAN to the VPN client will be natted.

Now you are able to deploy the configuration to you FTD!
We need to perform last steps on Windows NPS before to say that we have finished to configure a remote access VPN on Cisco FTD

Windows NPS configuration

On the Windows server you must enable the role of Network Policy Server, after that you can configure NPS service.
In my scenario I’m limiting the VPN access only to the user who is a member of a specific Windows Security Group called SG_VPN. In this way you can authorize who can connect via VPN or not.
You need to add a new Radius client on your NPS server, so right-click on “Radius Clients” and select “New”.
Ftd
In settings you need to specify the FTD firewallIP address and pre-shared key used previously on FMC.
As last step you need to create a new Network Policies for authenticating the VPN user. As you can see in the image below I’m applying a filter on Windows Groups. In this way I can control who can access to my VPN.

We are at the end, so you can launch your AnyConnect client and try to connect to your firewall.
I hope that this post about how to configure remote access VPN on Cisco FTD was cool and stay tuned on ITornAgeek for new posts!!!

Create an FTD Template

When creating a template, if you select all parts, the template will include every aspect of that device's configuration; it's management IP address, interface configurations, policy information, and so on.

If you select some of the parts, the custom template includes the following entities.

Template PartsParts included in Custom Template
Access RulesIncludes access control rules and any related entities for those rules. For example, objects and interfaces (with sub-interfaces).
NAT RulesIncludes NAT rules and any related entities required for those NAT rules. For example, objects and interfaces (with sub-interfaces).
SettingsIncludes system settings and any related entities required for those settings. For example, objects and interfaces (with sub-interfaces).
Interfaces Includes interfaces and sub-interfaces.
ObjectsIncludes objects and any related entities required for those objects. For example, interfaces and sub-interfaces.

Use this procedure to create an FTD template:

  1. In the CDO navigation bar, click Devices & Services.
  2. Use the filter or search field to find the FTD from which you want to create the template.
  3. In the Device Actions pane on the right, click Create Template.
    The Name Template provides the count of each part on the device. It also shows the count of sub-interfaces, if any.
  4. Select the parts that you want to include in the template.
  5. Enter a name for your template.
  6. Click Create Template.
  7. In the Parameterize Template area, you can perform the following:
    • To parameterize an interface, hover (until you see curly braces) and click a cell corresponding to that interface.
    • To parameterize a sub-interface, expand the interface that has a sub-interface, and hover (until you see curly braces) and click a cell corresponding to that sub-interface.

You can parameterize the following attributes to enable per-device customization.

  • Logical Name
  • State
  • IP Address/Netmask

Note: These attributes only support one value per parameter.

Configure Ftd Transparent Mode

  1. Click Continue.
  2. Review the template and any parameterizations. Click Done to create the template.

The Devices & Services page now displays the FTD template you just created.

Note: After creating a template, in the Devices & Services pane, CDO displays the corresponding template part icons to show the parts included in that template. This information also appears in the Device Details pane when you click the device or when you hover over the mouse pointer on the icon.

Configure Ftd High Availability

The following picture shows an example of a part icon to show that the template includes 'access rules', 'NAT rules', and 'objects'.