Configuring Remote Access VPN for an FTD
Cisco Defense Orchestrator (CDO) provides an intuitive user interface for configuring a new Remote Access Virtual Private Network (RA VPN). It also allows you to quickly and easily configure RA VPN connection for multiple Firepower Threat Defense (FTD) devices that are on board in CDO. AnyConnect is the only client that is supported on endpoint devices for an RA VPN connectivity to FTD devices.
When the AnyConnect client negotiates an SSL VPN connection with the FTD device, it connects using Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. The client and the FTD device negotiate the TLS/DTLS version to use. DTLS is used if the client supports it.
Cisco Defense Orchestrator (CDO) supports the following aspects of RA VPN functionality on Firepower Threat Defense devices:
- SSL client-based remote access
- IPv4 and IPv6 addressing
- Shared RA VPN configuration across multiple FTD devices
Important
If an onboarded FTD device (running on software version 6.7 or later) contains Remote Access VPN configuration with SAML server as the authentication source, CDO doesn't populate the AAA details in the connection profile as it doesn't manage SAML server objects in the current release. Thus you can't manage such RA VPN configuration from CDO. However, the trusted CA certificate and SAML server objects are read into CDO.
Related Topics
- (optional) Split Tunneling for RA VPN Users (Hair Pinning)
- Control User Permissions and Attributes Using RADIUS and Group Policies
- End-to-End FTD Remote Access VPN Configuration Process for FTD
- Download AnyConnect Client Software Packages
- Upload AnyConnect Software Packages to an FTD Version 6.4.0
- Upload AnyConnect Software Packages to an FTD Device Running FTD Version 6.5 or Later
- Configure and Upload VPN AnyConnect Client Profiles
- Configure Identity Sources for FTD
- Create New FTD RA VPN Group Policies
- Create an FTD RA VPN Configuration
- Configure an FTD RA VPN Connection Profile
- Allow Traffic Through the Remote Access VPN
- Upgrade AnyConnect Package on an FTD Version 6.4.0
- Guidelines and Limitations of Remote Access VPN for FTD
- How Users Can Install the AnyConnect Client Software on FTD
- Licensing Requirements for Remote Access VPN
- Maximum Concurrent VPN Sessions By Device Model
- RADIUS Change of Authorization
- RSA Security Two-Factor Authentication
- Verify Remote Access VPN Configuration of FTD
- View Remote Access VPN Configuration Details of FTD