If you have an FQDN that resolves to the outside IP of the FTD enter it in the Anyconnect connection box. Once the configuration is deployed attempt to connect. Use this section to confirm that your configuration works properly. Confirm that the correct parameters have been set and hit the Finish Button and Deploy the new configuration. The Last page gives a summary of the entire configuration. Select the Anyconnect Package for each operating system (Windows/Mac/Linux) that users will be connecting with as shown in the image. Select the inside interface and the networks that Anyconnect clients will need to access as shown in the image. NAT exemption can be configured manually under Policies > NAT or it can be configured automatically by the wizard. This is an optional command if sysopt permit-vpn is not selected an access control policy must be created that allows traffic from the Anyconnect clients to access the internal network as shown in the image. Select the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn). Then, select the interface the FTD will listen for Anyconnect connections. On the next page, select the Anyconnect_Certificate added in the certificate section. In the group policy, add Split tunnelling so users connected to Anyconnect will only send traffic that is destined to the internal FTD network over the Anyconnect client while all other traffic will go out the user's ISP connection as shown in the image. Select the edit option at the top of the policy as shown in the image. For this guide, the default Group Policy will be used.
A new group-policy can be created by hitting the drop-down and selecting the option for Create a new Group Policy. On the next page, a summary of the default Group Policy will be displayed. Select the Anyconnect_Pool object as shown in the image. This guide will use Local Authentication. Select the authentication methods as shown in the image. Navigate to Remote Access VPN > Create Connection Profile. Go through the Remote Access VPN Wizard on FDM as shown in the image.Ĭreate a connection profile and start the configuration as shown in the image. The certificate and key can be uploaded by copy and paste or the upload button for each file as shown in the image. Upload both the certificate and the private key as shown in the image. Navigate to Objects > Certificates > Add Internal Certificate. Configure a certificate as shown in the image. Create local Users as shown in the image.
Navigate to Objects > Users > Add User. Add VPN Local users that will connect to FTD via Anyconnect. Configure VPN Pool and LAN Networks from FDM GUI. Create a VPN Pool in order to be used for Local Address Assignment to An圜onnect Users as shown in the image.Ĭreate an object for the local network behind the FDM device as shown in the image.
Navigate to Objects > Networks > Add new Network. Step 3. Verify that Export-controlled Features is enabled in the token as shown in the image. Step 2. Verify that An圜onnect licenses are enabled on the device as shown in the image. Verify Device is registered to Smart Licensing as shown in the image. If your network is live, ensure that you understand the potential impact of any command.Īn圜onnect Client Authentication with the use of Local. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment.
The information in this document is based on these software and hardware versions:
Any of the An圜onnect Licenses enabled (APEX, Plus or VPN-Only).FTD registered with the smart licensing portal with Export Controlled Features enabled (in order to allow RA VPN configuration tab to be enabled).Prerequisites RequirementsĬisco recommends that you have knowledge of RA VPN configuration on FDM. Enhancement request CSCvm76499 has been filed for this issue. Unable to configure FTD via FDM for Anyconnect clients to connect to the external interface while management is opened via the same interface.
This document describes how to configure the deploying of Remote Access Virtual Private Network (RA VPN) on Firepower Threat Defense (FTD) managed by the on-box manager Firepower Device Manager (FDM) running version 6.5.0 and above.