How to Configure CISCO AnyConnect on FTD using FMC

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello friends welcome back to my channel i'm back with another learning video if you are here for the first time welcome please don't forget to subscribe my channel so that you will get a new updates and new learning videos as soon as i posted okay so in today's session we are going to learn about how to configure any connect vpn on ftd platform using cisco fmc so in the remote access vpn configuration i'm going to use a saml for authentication i know um other than saml the cisco ftd along with the fmc supports to play the configuration i mean triple authentication as well but i'm going to use saml for the sake of learning video today okay let's get into this session now i'm here on the fmc console before you start to create the remote access vpn configuration wizard you need to consider few things as preliminary actions and dependent areas that will enable you to configure the remote access vpn wizard first thing you need to have the anyconnect image already uploaded into the fmc second the interfaces should need to be configured already on the ftd firewall meaning if we have inside and the outside only you just need to configure those for you to enable the remote access vpn configuration wizard took it complete and then authentication server so like i mentioned before i'm going to use a saml authentication for any connect so please make sure that the saml authentication server are also configured already i already made another video how to configure xaml authentication for ftd anyconnect authentication i will put that link in the description so you'll be able to find that separate video for configuring the saml configuration in a detailed manner but just for understanding purpose i'm going to showcase that the sample configuration over here in this so that you will be able to correlate the configuration while we are going to configure the remote access vpn wizard okay let's get started on the fmc console click on object object management and then once you're there click on the aaa server on the left side and when you click on that single sign on server you'll be able to uh create the single sign on server i mean the saml server like i mentioned before i have a separate video made for configuring this stuff alone in very detailed manner so i'm going to use this saml configuration for the remote access vpn wizard so in this the required parameters are already configured okay so these are all if you follow the other video you'll be able to complete this step without any sim single hesitance okay so considering that this is completed already and secondly before even we start uh the remote access we've been configuration you need to make sure that you are adding the service provider certificate and idp provider certificate into the um where you are going to configure the remote access vpn wizard again i already explained what is the service provider certificate and idp provider certificate in the other video you'll be able to understand more and detail in that video section okay so before even if we configure the remote access vpn wizard you need to assign this assigned as um certificates manually by following this section here select the certificate and click add by doing so it will be assigned or installed this is called trust points service provider trust point and identity provider trust point will get installed and then if you then need to deploy the configuration and then come back to the console and now let's let us also complete a couple of other portion see here as soon as you come back to fmc click on the remote access and then click on add okay by doing so you will be starting the remote access between wizard i'm just configuring this with some vague name test vp under vpn protocols if you are going to use only ssl just please select that if you are going to use ipsec also you can appropriately select and then the device you want to add i mean the firewall then here it talks about the things that i mentioned before you need to have the authentication server ready client package any kind of client package already uploaded and the device interface so ensure that you complete these details before you start this vpn wizard click next so i have completed this setup already so i'm going to explain this new i mean in the wizard itself which i have completed already if you go back here i have created the connection profile if i click there connection profile you can name it as whatever you want then the group policy before we jump over to the group policy we'll see the connection profile under connection profile connection profile is nothing but the tunnel group the tunnel group is where you will mention the uh the vpn pool information as soon as we get connected to the vpn we will get the ipads assigned from that specific tunnel group so we have to mention the range that is going to be assigned for this particular tunnel group and then click on the aaa like i mentioned i have selected the saml for authentication it also supports aaa client certificate and client certificate with triple a i mean i'm going to use the saml for my authentication here and then we have already created this saml server as i shown you before the step just to select that in the drop down list main thing we need to consider here version 6.7 of ftd will only support authentication it will not support authorization or accounting so cisco mentioned mentioned that they will be releasing authorization and the pounding portion in the later version that is coming up in the spring or later spring uh 2021 by then i think we can start using this authorization accounting fields but for now only authentication is supported you can also double check this in the release notes in the version 6.7 of ftd os and in the aliases section what we will be creating alias is just a naming convention that you are using for that connection profile to be used so here just click on hit button and just name it whatever you want and click this boxes enabled then submit it and then your aliases is very very important url that you need to configure here this is where the people will use to connect to the vpn firewall to connect the vpn so you have to click plus button and click add just name it as whatever you want and then the dns name of the firewall that you are going to configure the vpn configuration and then save it apply it okay the group policy group policy is where you will configure certain other information pertinent to that tunnel group so we have selected ssl and the ib pool will also be automatically assigned by the tongue group and then banner based on the banner banner type you want your company basis you you can assign and then here comes the another main part you will be able to assign the primary dns server secondary dns server primary win server secondary win server so these are purely based on your network requirement if you if you think that your vpn should need to use between users should need to use your corporate dns server then you can go ahead and configure it if not we have option to um select the default dns as the the home network dns but here i'm using i'm configuring this vpn any kind of vpn as split tunnel include include means i wanted to send only certain domains into the tunnel rest of internet traffic should flow through my local internet so which means it's a split tunnel vpn within the split channel line we have two types tunnel included tunnel exclude so tunnel include means whatever the domains you wanted to allow through the tunnel you'll be selecting this and whatever the time whatever the domains you don't want to send it to um the corporate vpn i mean over the full tunnel you can specify that so my corporate requirement is um occurring to specify the domains that i wanted to send it to corporate so i'm selecting that and the list of subnets that are part of my corporate network i have created that as a standard access list already and i'm just selecting that list as a drop down list here okay and then under any connect client profile client profile is where you will upload the xml file that will have the domain information the dns information of the vpn box that you will connect so this is also you can create it here or since i have that already i have selected here so all you just need to mention here as name it as whatever you want and browse that xml file and put it i mean upload it here that's it and then management profile so most likely this may not be used because the management vp internal ensures connectivity to the corporate input whenever the endpoint is powered up even if end user does not connect over vpn so this is only for the administrative people i don't think we might need it here i'm going to skip this for now and this particular one if you use a dot or cisco knack ice posher network visibility umbrella web security those situation if you have those you can enable it if not you can just skip it so i don't have those for my infrastructure i'm just skipping that and ssl settings you can select whatever is applicable for your infrastructure so i have selected a dtls compression for a local to l2s format and under connection settings based on my corporate requirement i have selected i mean configure these parameters keep alive messages three every 300 seconds and date period reduction every 300 second and um same for the client side as well under advanced session settings we are allowing two sessions per user id then um 1200 minutes for the maximum connection time meaning it's it will last long up to 20 hours it will also uh ideal timeout if user did not send any traffic to the weep internal after 60 minutes so this is the group policy information i think as soon as you complete this connection profile and the guru policy information you are all set your vpn wizard is completed you have vpn profile i mean the tunnel group name saml autumn aaa meaning and this is a saml authentication server and then the group policy and you will be assigning that the whole set of configuration to a specific device that's it and then click deploy it will get pushed that's it thank you so much if you have any questions please uh don't forget to mention in the comment section so that i'll be able to clarify your questions [Music]
Info
Channel: SecGuru
Views: 1,283
Rating: undefined out of 5
Keywords: How to Configure CISCO AnyConnect on FTD using FMC, confiure Anyconnect on FTD, Configure CISCO AnyConnect on FTD using FMC, Configure CISCO AnyConnect, cisco, firepower management center, AnyConnect on FTD using FMC, ftd, CISCO AnyConnect on FTD, cisco anyconnect, setup cisco anyconnect on ftd, cisco remote access vpn configuration, anyconnect vpn, secguru, install anyconnect on ftd using fmc, install anyconnect on ftd, configure anyconnect using fmc, anyconnect, remote access vpn
Id: XZOGaCAgjwE
Channel Id: undefined
Length: 13min 19sec (799 seconds)
Published: Sat Mar 20 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.