Configuring Remote Access VPN for an FTD
Cisco Defense Orchestrator (CDO) provides an intuitive user interface for configuring a new Remote Access Virtual Private Network (RA VPN). It also allows you to quickly and easily configure RA VPN connection for multiple Firepower Threat Defense (FTD) devices that are on board in CDO. AnyConnect is the only client that is supported on endpoint devices for an RA VPN connectivity to FTD devices.
When the AnyConnect client negotiates an SSL VPN connection with the FTD device, it connects using Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. The client and the FTD device negotiate the TLS/DTLS version to use. DTLS is used if the client supports it.
Cisco Defense Orchestrator (CDO) supports the following aspects of RA VPN functionality on Firepower Threat Defense devices:
- SSL client-based remote access
- IPv4 and IPv6 addressing
- Shared RA VPN configuration across multiple FTD devices
Important
If an onboarded FTD device (running on software version 6.7 or later) contains RA VPN configuration with SAML server as the authentication source, CDO doesn't populate the AAA details in the connection profile as it doesn't manage SAML server objects in the current release. Thus you can't manage such RA VPN configuration from CDO. However, CDO reads the RA VPN connection profile and associated trusted CA certificate and SAML server objects.
Related Topics
- Guidelines and Limitations of Remote Access VPN for FTD
- Control User Permissions and Attributes Using RADIUS and Group Policies
- Two-Factor Authentication
- End-to-End FTD Remote Access VPN Configuration Process for an FTD
- Allow Traffic Through the Remote Access VPN
- Configure an FTD RA VPN Connection Profile
- Configure Identity Sources for FTD
- Create an FTD RA VPN Configuration
- Create New FTD RA VPN Group Policies
- Download AnyConnect Client Software Packages
- Upgrade AnyConnect Package on an FTD Version 6.4.0
- Upload AnyConnect Software Packages to an FTD Device Running Software Version 6.5 or Later
- Upload AnyConnect Software Packages to an FTD Version 6.4.0 Using FDM API Explorer
- Upload RA VPN AnyConnect Client Profile
- How to Configure Two-Factor Authentication using Duo LDAP
- How to Configure Two-Factor Authentication using Duo RADIUS
- How Users Can Install the AnyConnect Client Software on FTD
- Licensing Requirements for Remote Access VPN
- Maximum Concurrent VPN Sessions By Device Model
- RADIUS Change of Authorization
- Split Tunneling for RA VPN Users (Hair Pinning)
- Verify Remote Access VPN Configuration of FTD
- View Remote Access VPN Configuration Details of FTD