Skip to main content



Cisco Defense Orchestrator

End-to-End FTD Remote Access VPN Configuration Process for an FTD

This section provides the end-to-end procedure for configuring Remote Access Virtual Private Network (RA VPN) on an FTD device onboarded to CDO.


To enable remote access VPN for your clients, you need to configure several separate items. The following procedure provides the end-to-end process.

  1. Enable two licenses. 
    • When you register the device, you must do so with a Smart Software Manager account that is enabled for export-controlled features. The Base license must meet export control requirements before you can configure remote access VPN. You also cannot configure the feature using the evaluation license. Your purchase of a Firepower Threat Defense device automatically includes a Base license. The Base license covers all features not covered by the optional licenses. It is a perpetual license.

      The device must be registered from FDM. See the Registering the Device section in the Licensing the System chapter of the  Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running.
    • A remote access VPN license. For details, see Licensing Requirements for Remote Access VPN.
  2. Configure Certificates.

Certificates are required to authenticate SSL connections between the clients and the device. You can use the pre-defined DefaultInternalCertificate for the VPN or create your own.

If you use an encrypted connection for the directory realm used for authentication, you must upload a trusted CA certificate.
For more information on certificates and how to upload them, see Configuring Certificates.

  1. Configure the identity source used for authenticating remote users. 

You can use the following sources to authenticate users attempting to connect to your network using RA VPN. Additionally, you can use client certificates for authentication, either alone or in conjunction with an identity source.

  • Active Directory identity realm: As a primary authentication source. The user accounts are defined in your Active Directory (AD) server. See Configuring AD Identity Realms. See Create and Edit a Firepower Threat Defense Active Directory Realm Object.

  • RADIUS server group: As a primary or secondary authentication source, and for authorization and accounting. See Create or Edit a Firepower Threat Defense RADIUS Server Object or Group.

  • Local Identity Source (the local user database): As a primary or fallback source. You can define users directly on the device and not use an external server. If you use the local database as a fallback source, ensure that you define the same usernames/passwords as the ones described in the external server.
    Note: You can create user accounts directly on the FTD device only from Firepower Device Management (FDM). See Configure Local Users

  • Duo LDAP server: As a primary or secondary authentication source. Although you can use a Duo LDAP server as the primary source, this is not the normal configuration. You would normally use it as the secondary source to provide two-factor authentication in conjunction with a primary Active Directory or RADIUS server. For details, see How to Configure Two-Factor Authentication using Duo LDAP.

  1. (Optional.) Create New FTD RA VPN Group Policies.
    The group policy defines user-related attributes. You can configure group policies to provide differential access to resources based on group membership. Alternatively, use the default policy for all connections.
  2. Create an FTD RA VPN Configuration
  3. Configure an RA VPN Connection Profile.
  4. Review and deploy configuration changes to the devices.
  5. Allow Traffic Through the Remote Access VPN.
  6. (Optional.) Enable the identity policy and configure a rule for passive authentication. 
    If you enable passive user authentication, users who logged in through the remote access VPN will be shown in the dashboards, and they will also be available as traffic-matching criteria in policies. If you do not enable passive authentication, RA VPN users will be available only if they match an active authentication policy. You must enable the identity policy to get any username information in the dashboards or for traffic matching.
    See Configure Identity Policies.

Important: If you change the Remote Access VPN configuration by using a local manager like Firepower Threat Defense Manage (FDM), the Configuration Status of that device in CDO shows "Conflict Detected". See Out-of-Band Changes on an FTD Device. You can Resolve Configuration Conflicts on this FTD. 

Next Steps

Once the RA VPN configuration is downloaded to the FTD devices, the users can connect to your network from a remote location using a computer or other supported iOS or Android device connected to the Internet. You can monitor live AnyConnect Remote Access Virtual Private Network (RA VPN) sessions from all onboarded FTD RA VPN head-ends in your tenant. See Monitoring Remote Access Virtual Private Network

  • Was this article helpful?