Solved: Any information (more

KEOPUTMANO · ‎06-06-2017

Dear All,

I planning to change our ASA with Cisco FTD which the new version of Cisco ASA. We planed to build FTD as position of Internet Connection that need Remote VPN for staffs connected. Dose FTD version 6.2.0 support remote VPN such as anyconnect or IP Sec remote VPN? It's the main concern for changing new Firewall.

Thank for value answer.

Best Regards,

Mano

Marvin Rhoads · ‎06-06-2017

No it does not.

FTD 6.2.1 introduced AnyConnect (SSL VPN) support for the FirePOWER 2100 series only.

We expect release 6.2.2 to come out shortly adding that support for the rest of the products that run FTD (ASA 5500-X, FirePOWER 4100 and 9300 series).

Note this initial release has numerous caveats regarding unsupported features with SSL VPN. the 6.2.1 Configuration Guide outlines them here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Quoting for the benefit of this thread:

AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported as its own entity, it is only used to deploy the AnyConnect Client.

The following AnyConnect features are not supported when connecting to a Firepower Threat Defense secure gateway:

Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.
AnyConnect Customization and Localization support. The Firepower Threat Defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.
Custom Attributes for the Anyconnect Client are not supported on the Firepower Threat Defense. Hence all features that make use of Custom Attributes are not supported, such as: Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.
Local authentication, VPN users cannot be configured on the Firepower Threat Defensesecure gateway.

Local CA, the secure gateway cannot act as a Certificate Authority
Secondary or Double Authentication
Single Sign-on using SAML 2.0
TACACS, Kerberos (KCD Authentication and RSA SDI
LDAP Authorization (LDAP Attribute Map)
Browser Proxy
RADIUS CoA
VPN Load balancing is not supported.

View solution in original post

Marvin Rhoads · ‎06-06-2017

No it does not.

FTD 6.2.1 introduced AnyConnect (SSL VPN) support for the FirePOWER 2100 series only.

We expect release 6.2.2 to come out shortly adding that support for the rest of the products that run FTD (ASA 5500-X, FirePOWER 4100 and 9300 series).

Note this initial release has numerous caveats regarding unsupported features with SSL VPN. the 6.2.1 Configuration Guide outlines them here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Quoting for the benefit of this thread:

AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported as its own entity, it is only used to deploy the AnyConnect Client.

The following AnyConnect features are not supported when connecting to a Firepower Threat Defense secure gateway:

Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.
AnyConnect Customization and Localization support. The Firepower Threat Defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.
Custom Attributes for the Anyconnect Client are not supported on the Firepower Threat Defense. Hence all features that make use of Custom Attributes are not supported, such as: Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.
Local authentication, VPN users cannot be configured on the Firepower Threat Defensesecure gateway.

Local CA, the secure gateway cannot act as a Certificate Authority
Secondary or Double Authentication
Single Sign-on using SAML 2.0
TACACS, Kerberos (KCD Authentication and RSA SDI
LDAP Authorization (LDAP Attribute Map)
Browser Proxy
RADIUS CoA
VPN Load balancing is not supported.

KEOPUTMANO · ‎06-10-2017

Thank so much for your value answer

Alejandro Cadarso Cerdeirina · ‎07-04-2017

Any information (more specific that shortly) about when release 6.2.2 will come out ?

Thanks in advance

Marvin Rhoads · ‎08-08-2017

Cisco hasn't given us a specific date. We were hoping for June, but it's now July and we're still waiting. I didn't get to Cisco Live last week (I attended Mebourne ealier this year) to pester the engineers directly so I haven't gotten any update.

You can setup a notification on the download page for FMC and choose to get a daily, weekly or monthly email notifying you of any new software published for the product.

https://software.cisco.com/download/release.html?mdfid=286259687&release=GeoDB&relind=AVAILABLE&softwareid=286271056&rellifecycle=&reltype=latest

Report Inappropriate Content · ‎08-09-2017

The latest info I have is that 6.2.2 is tracking for late August / early September.

m1xed0s · ‎01-12-2018

With the latest FTD image, any of below anyconnect features is supported (checked release notes but found nothing...):

All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.
Local authentication, VPN users cannot be configured on the Firepower Threat Defense secure gateway.
Secondary or Double Authentication
VPN Load balancing is not supported.

Guillermo Estrada · ‎02-23-2018

So you're saying these features are not supported? I wish Cisco would just say what isn't supported. Client requires Dual Authentication, sounds like 6.2.2 doesn't support dual authentication, is this ture?

azubuike · ‎02-28-2018

please i needed a password for me to connect vpn

azubuike · ‎01-12-2018

SIR PLEASE AM KENNETH AZUBUIKE I WANT TO CONNECT TO THE VPN BUT I DON'T KNOW HOW T0 CREATE MY OWN PASSWORD

SO I CAN ASSESS CUSTOMS ASYCUDA++ FOR NIGERIA CUSTOMS MODBRK PLEASE I NEED HELP ON HOW TO CREATE MY OWN PASSWORD TO LOGIN

rajesh.k4@cognizant.com · ‎07-10-2018

Can some let me what if XML uploading is mandatory. if yes what exactly i need to fill in Any Connect Profile Editor for creating the XML file.can some one give me an example of XML file.

jellison1978 · ‎11-06-2018

Why would Cisco put a product out without 2-factor? This is not good.

Cisco Anyconnect VPN on FTD Image

AnyConnect

AnyConnect