Skip to main content



Cisco Defense Orchestrator

Create an RA VPN Configuration

The RA VPN Configuration wizard allows you to add one or more Firepower Threat Defense (FTD) devices and configure the VPN interfaces, access control, and NAT exemption settings associated with the devices. Therefore, each RA VPN configuration can have shared connection profiles and group policies shared across multiple FTD devices that are associated with the RA VPN configuration. Further, you can enhance the configuration by creating connection profiles and group policies.

You can either onboard an FTD device that has already been configured with RA VPN settings or a new device without configuration. When you onboard an FTD device that already has RA VPN settings, CDO automatically creates a "Default RA VPN Configuration" and associates the FTD device to this configuration. Also, this default configuration can contain all the connection profile objects that are defined on the device.


Before adding the FTD devices to RA VPN configuration, the following prerequisites must be met:

  • Make sure that the FTD devices have the following:
  • FTD changes are synchronized to CDO.
    1. In the CDO navigation bar at the left, click Devices & Services and search for one or more FTD devices to be synchronized. 
    2. Select the device (s) and then click Read Policy. CDO communicates with one or more FTD devices to synchronize the changes.
  • RA VPN configuration group policy objects are consistent. 
  • RA VPN group policies of the FTD device match RA VPN configuration group policies. 


  1. In the CDO navigation bar at the left, click VPN > Remote Access VPN
    You can click on a VPN configuration object if already present or choose to create a new configuration.

    The group shows summary information on how many connection profiles and group policies are currently configured.
    • Expand the RA VPN configuration to view all connection profiles associated with them. 
      • Click the add + button to add new connection profile. 
      • Click the view button ( View_icon.JPG ) to open a summary of the connection profile and connection instructions.
        Under Actions, you can click Edit to modify the changes. 
    • You can click one of the following options under Actions to perform additional tasks:
  • Click Group Policies to assign/add group policies. 

  • Click a configuration object or connection profile that you no longer need and click Remove to delete.

  1. Click the blue plus blue_cross_button.png button to create a new RA VPN configuration.
  2. Enter a name for the Remote Access VPN configuration.
  3. Click the blue plus blue_cross_button.png button to add FTD devices to the configuration.
    You can add the device details and configure network traffic-related permissions that are associated with the device.
    1. Provide the following device details:
      • Device: Select a device that you want to add and click Select.
      • Certificate of Device Identity: Select the internal certificate used for establishing the identity of the device. Clients must accept this certificate to complete a secure VPN connection.
        If you do not already have a certificate, click Create New Internal Certificate in the drop-down list. See Generating Self-Signed Internal and Internal CA Certificates.
      • Outside Interface: The interface to which users connect when creating the remote access VPN connection. Although this is normally the outside (internet-facing) interface, choose whichever interface is between the device and the end-users you are supporting with this connection profile. To create a new subinterface, see Configure Firepower VLAN Subinterfaces and 802.1Q Trunking.
      • Fully Qualified Domain Name or IP for the Outside Interface: The name of the interface, for example, or the IP address must be provided. If you specify a name, the system can create a client profile for you.
        Note: You are responsible for ensuring that the DNS servers used in the VPN and by clients can resolve this name to the outside interface's IP address. Add the FQDN to the relevant DNS servers.
    2. Click Continue to configure the traffic permissions.
      1. Bypass Access Control policy for decrypted traffic (sysopt permit-vpn): Decrypted traffic is subjected to Access Control Policy inspection by default.  Enabling this option bypasses the decrypted traffic option bypasses the access control policy inspection, but the VPN Filter ACL and the authorization ACL downloaded from the AAA server are still applied to VPN traffic.
        Note that if you select this option, the system configures the sysopt connection permit-vpn command, which is a global setting. This will also impact the behavior of site-to-site VPN connections. 
        If you do not select this option, it might be possible for external users to spoof IP addresses in your remote access VPN address pool, and thus gain access to your network. This can happen because you will need to create access control rules that allow your address pool to have access to internal resources. If you use access control rules, consider using user specifications to control access, rather than source IP address alone.
        The downside of selecting this option is that the VPN traffic will not be inspected, which means that intrusion and file protection, URL filtering, or other advanced features will not be applied to the traffic. This also means that no connection events will be generated for the traffic, and thus statistical dashboards will not reflect VPN connections.
      2. NAT Exempt: Enable NAT Exempt to exempt traffic to and from the remote access VPN endpoints from NAT translation. If you do not exempt VPN traffic from NAT, ensure that the existing NAT rules for the outside and inside interfaces do not apply to the RA VPN pool of addresses. NAT exempt rules are manual static identity NAT rules for a given source/destination interface and network combination, but they are not reflected in the NAT policy, they are hidden. If you enable NAT Exempt, you must also configure the following.
  • Inside Interfaces: Select the interfaces for the internal networks remote users will be accessing. NAT rules are created for these interfaces.
  • Inside Networks: Select the network objects that represent internal networks remote users will be accessing. The networks list must contain the same IP types as the address pools you are supporting.
    1. Click OK.
      The FTD device is added to the RA VPN configuration. You can add multiple FTD devices to the RA VPN configuration.
  1. Click OK.
    The device is added to the configuration. The AnyConnect Packages Detected shows the AnyConnect packages available in the device.
  2. Create connection profiles. See Configure an RA VPN Connection Profile.


Select a configuration and under Actions, click the appropriate action:

  • Group Policies to add or remove group policies.
  • Remove to delete the selected RA VPN configuration.

Modify RA VPN Configuration

You can modify the name and the device details of an existing RA VPN configuration. 

  1. Select the configuration to be modified and under Actions, click Edit
    • Modify the name if required.
    • Click the blue plus blue_cross_button.png button to add a new device
    • Click verticle_browse.JPG  to perform the following on the FTD device.
      • Click Edit to modify the existing RA VPN configuration.  
      • Click Remove to remove the FTD device from the RA VPN configuration. All connection profiles and RA VPN settings associated with that device except the group policies are deleted. You can remove the group policies them explicitly from the objects page.
        Note: You cannot remove the FTD if that is the only device using the configuration. Alternatively, you can remove the RA VPN configuration.

You can also search for remote access VPN configuration by typing the name of the configuration or device.

  • Was this article helpful?