Skip to main content



Cisco Defense Orchestrator

End-to-End Remote Access VPN Configuration Process for an ASA

This section provides the end-to-end procedure for configuring Remote Access Virtual Private Network (RA VPN) on an ASA device onboarded to CDO.


To enable remote access VPN for your clients, you need to configure several separate items. The following procedure provides the end-to-end process.

  1. Configure the identity source used for authenticating remote users. See Configure Identity Sources for ASA for more information.

You can use the following sources to authenticate users attempting to connect to your network using RA VPN. Additionally, you can use client certificates for authentication, either alone or in conjunction with an identity source.

  • Active Directory identity realm: As a primary authentication source. The user accounts are defined in your Active Directory (AD) server. See Configuring AD Identity Realms. See Create and Edit an ASA Active Directory Realm Object.

  • RADIUS server group: As a primary or secondary authentication source, and for authorization and accounting. See Create or Edit an ASA RADIUS Server Object or Group.

  • Local Identity Source (the local user database): As a primary or fallback source. You can define users directly on the device and not use an external server. If you use the local database as a fallback source, ensure that you define the same usernames/passwords as the ones described in the external server. 

    To add user accounts using ASA CLI, go to ASA CLI and execute username [username] password [password] privilege [priv_level] command.
    To determine whether the user account was added correctly, execute show running-config user command.

  1. (optional) Create New ASA RA VPN Group Policies.
    The group policy defines user-related attributes. You can configure group policies to provide differential access to resources based on group membership. Alternatively, use the default policy for all connections.
  2. Create an ASA RA VPN Configuration.
  3. Configure an ASA RA VPN Connection Profile.
  4. (optional) Exempt ASA Remote Access Traffic from NAT.
  5. Review and deploy configuration changes to the devices.

Important: If you change the Remote Access VPN configuration by using a local manager like Adaptive Security Device Manager (ASDM), the Configuration Status of that device in CDO shows "Conflict Detected". See Out-of-Band Changes on an ASA Device. You can Resolve Configuration Conflicts on this ASA. 

Next Steps

Once the RA VPN configuration is downloaded to the ASA devices, the users can connect to your network from a remote location using a computer or other supported iOS or Android device connected to the Internet. You can monitor live AnyConnect Remote Access Virtual Private Network (RA VPN) sessions from all onboarded ASA RA VPN head-ends in your tenant. See Monitoring Remote Access Virtual Private Network

  • Was this article helpful?