Skip to main content



Cisco Defense Orchestrator

Create an FTD RA VPN Configuration

CDO allows you to add one or more Firepower Threat Defense (FTD) devices to the RA VPN configuration wizard and configure the VPN interfaces, access control, and NAT exemption settings associated with the devices. Therefore, each RA VPN configuration can have connection profiles and group policies shared across multiple FTD devices that are associated with the RA VPN configuration. Further, you can enhance the configuration by creating connection profiles and group policies.

You can either onboard an FTD device that has already been configured with RA VPN settings or a new device without RA VPN settings. When you onboard an FTD device that already has RA VPN settings, CDO automatically creates a "Default RA VPN Configuration" and associates the FTD device with this configuration. Also, this default configuration can contain all the connection profile objects that are defined on the device.


  • You are not allowed to add ASA and FTD in the same Remote Access VPN Configuration.
  • An FTD device can't have more than one RA VPN Configuration. 


Before adding the FTD devices to RA VPN configuration, the following prerequisites must be met:


  1. In the CDO navigation bar at the left, click VPN > Remote Access VPN Configuration
  2. Click the blue plus blue_cross_button.png button to create a new RA VPN configuration.
  1. Enter a name for the Remote Access VPN configuration.
  2. Click the blue plus blue_cross_button.png button to add FTD devices to the configuration.
    You can add the device details and configure network traffic-related permissions that are associated with the device.
    1. Provide the following device details:
      • Device: Select an FTD device that you want to add and click Select.
        Important: You are not allowed to add ASA and FTD in the same Remote Access VPN Configuration. 
      • Certificate of Device Identity: Select the internal certificate used for establishing the identity of the device. This establishes the device identity for AnyConnect clients when they make a connection to the device. Clients must accept this certificate to complete a secure VPN connection.
        If you do not already have a certificate, click Create New Internal Certificate in the drop-down list. See Generating Self-Signed Internal and Internal CA Certificates.
      • Outside Interface: The interface to which users connect when making the remote access VPN connection. Although this is normally the outside (internet-facing) interface, choose whichever interface is between the device and the end-users you are supporting with this connection profile. To create a new subinterface, see Configure Firepower VLAN Subinterfaces and 802.1Q Trunking.
      • Fully Qualified Domain Name or IP for the Outside Interface: The name of the interface, for example, or the IP address must be provided. If you specify a name, the system can create a client profile for you.
        Note: You are responsible for ensuring that the DNS servers used in the VPN and by clients can resolve this name to the outside interface's IP address. Add the FQDN to the relevant DNS servers.
    2. Click Continue to configure the traffic permissions.
      • Bypass Access Control policy for decrypted traffic (sysopt permit-vpn): Decrypted traffic is subjected to Access Control Policy inspection by default.  Enabling this option bypasses the decrypted traffic option bypasses the access control policy inspection, but the VPN Filter ACL and the authorization ACL downloaded from the AAA server are still applied to VPN traffic.
        Note that if you select this option, the system configures the sysopt connection permit-vpn command, which is a global setting. This will also impact the behavior of site-to-site VPN connections. 
        If you do not select this option, it might be possible for external users to spoof IP addresses in your remote access VPN address pool, and thus gain access to your network. This can happen because you will need to create access control rules that allow your address pool to have access to internal resources. If you use access control rules, consider using user specifications to control access, rather than source IP address alone.
        The downside of selecting this option is that the VPN traffic will not be inspected, which means that intrusion and file protection, URL filtering, or other advanced features will not be applied to the traffic. This also means that no connection events will be generated for the traffic, and thus statistical dashboards will not reflect VPN connections.
      • NAT Exempt: Enable NAT Exempt to exempt traffic to and from the remote access VPN endpoints from NAT translation. If you do not exempt VPN traffic from NAT, ensure that the existing NAT rules for the outside and inside interfaces do not apply to the RA VPN pool of addresses. NAT exempt rules are manual static identity NAT rules for a given source/destination interface and network combination, but they are not reflected in the NAT policy, they are hidden. If you enable NAT Exempt, you must also configure the following.
  • Inside Interfaces: Select the interfaces for the internal networks remote users will be accessing. NAT rules are created for these interfaces.
  • Inside Networks: Select the network objects that represent internal networks remote users will be accessing. The networks list must contain the same IP types as the address pools you are supporting.
  1. Click OK.

The AnyConnect Packages Detected shows the AnyConnect packages that are already available on the device.

To upload a package based on your FTD version, choose one of the following methods:

If you want to replace an existing package, see Replace an Existing AnyConnect Package.

  1. ClickUpload_AnyConnect.JPG to upload the package.
  2. Click OK. The device is added to the configuration.


Select a configuration and under Actions, click the appropriate action:

  • Group Policies to add or remove group policies.
  • Remove to delete the selected RA VPN configuration.

Modify RA VPN Configuration

You can modify the name and the device details of an existing RA VPN configuration. 

  1. Select the configuration to be modified and under Actions, click Edit
    • Modify the name if required.
    • Click the blue plus blue_cross_button.png button to add a new device
    • Click verticle_browse.JPG  to perform the following on the FTD device.
      • Click Edit to modify the existing RA VPN configuration.  
      • Click Remove to remove the FTD device from the RA VPN configuration. All connection profiles and RA VPN settings associated with that device except the group policies are deleted. You can remove the group policies explicitly from the objects page.
        Note: You cannot remove the FTD if that is the only device using the configuration. Alternatively, you can remove the RA VPN configuration.

You can also search for remote access VPN configuration by typing the name of the configuration or device.

  • Was this article helpful?