Configure AnyConnect Remote Access VPN on FTD

Available Languages

Download Options

  • PDF     (1.0 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.1 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.1 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:December 5, 2023
Document ID:212424

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes a configuration for AnyConnect Remote Access VPN on FTD.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic VPN, TLS and IKEv2 knowledge
    • Basic Authentication, Authorization, and Accounting (AAA) and RADIUS knowledge
    • Experience with Firepower Management Center

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco FTD 7.2.0
    • Cisco FMC 7.2.1
    • AnyConnect 4.10 

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    This document provides a configuration example for Firepower Threat Defense (FTD) version 7.2.0 and later, that allows remote access VPN to use Transport Layer Security (TLS) and Internet Key Exchange version 2 (IKEv2). As a client, Cisco AnyConnect can be used, which is supported on multiple platforms.

    Configuration

    1. Prerequisites

    In order to go through Remote Access wizard in Firepower Management Center:

    • Create a certificate used for server authentication.
    • Configure RADIUS or LDAP server for user authentication.
    • Create pool of addresses for VPN users.
    • Upload AnyConnect images for different platforms.

    a) Import the SSL Certificate


    Certificates are essential when you configure AnyConnect. The certificate must have Subject Alternative Name extension with DNS name and/or IP address to avoid errors in web browsers.

    Note: Only registered Cisco users have access to internal tools and bug information.

    There are limitations for manual certificate enrollment:

    - On FTD you need the CA certificate before you generate the CSR.

    - If the CSR is generated externally, the manual method fails, a different method must be used (PKCS12).

    There are several methods to obtain a certificate on FTD appliance, but the safe and easy one is to create a Certificate Signing Request (CSR), sign it with a Certificate Authority (CA) and then import certificate issued for public key, which was in CSR. Here is how to do that:

    • Go to Objects  > Object Management > PKI > Cert Enrollment , click Add Cert Enrollment.

    Add Cert Enrollment

    • Select Enrollment Type and paste Certificate Authority (CA) certificate (the certificate which is used to sign the CSR).
    • Then go to second tab and select Custom FQDN and fill all necessary fields, for example:

    Configure common name for the certificate

    • On the third tab, select Key Type, choose name and size. For RSA, 2048 bits is minimum.
    • Click save and go to Devices > Certificates > Add > New Certificate.
    • Then select Device, and under Cert Enrollment select the trustpoint which you just created, click Add:

    Select Devices and then Add Certificates

    • Later, next to the trustpoint name, click the Icon icon, then Yes, and after that copy CSR to CA and sign it. Certificate must have attributes the same as normal a HTTPS server. 
    • After you received the certificate from CA in base64 format, select it from the disk and click Import. When this succeeds, you see:

    Successful Import
    b) Configure RADIUS Server

    • Go to Objects > Object Management > RADIUS Server Group > Add RADIUS Server Group.
    • Fill out the name and add IP address along with shared secret, click Save:

    Configure RADIUS

    • After that you see the server on the list:

    RADIUS Server is Named in the List

    c) Create a Pool of Addresses for VPN Users

    • Go to Objects > Object Management > Address Pools > Add IPv4 Pools.
    • Put the name and range, mask is not needed: 

    Configure address pool

    d) Create XML Profile

    • Download the Profile Editor from Cisco site and open it.
    • Go to Server List > Add...
    • Put Display Name and FQDN. You see entries in Server List:

    Open Profile Editor and Select the Server List and then ADD

    • Click OKand File > Save as... 

    e) Upload AnyConnect Images

    • Download pkg images from Cisco site.
    • Go to Objects > Object Management > VPN > AnyConnect File > Add AnyConnect File.
    • Type the name and select PKG file from disk, click Save:

    Edit the AnyConnect File

    • Add more packages based on your own requirements.

    2. Remote Access Wizard

    • Go to Devices > VPN > Remote Access > Add a new configuration.
    • Name the profile and select FTD device:

    Targeted Devices and Protocols

    • In Connection Profile step, type Connection Profile Name, select the Authentication Server and Address Pools that you created earlier:

    Connection Profile Name

    • Click on Edit Group Policy and on the tab AnyConnect, select Client Profile, then click Save:

    Edit Group Policy

    • On the next page, select AnyConnect images and click Next.

    AnyConnect Client Image

    • On the next screen, select Network Interface and Device Certificates:

    Network Interface for Incoming VPN Access

    • When everything is configured correctly, you can click Finish and then Deploy:

    Edit Group Policy and Select Client Profile

    • This copies the whole configuration along with certificates and AnyConnect packages to FTD appliance.

    Connection

    To connect to FTD you need to open a browser, type DNS name or IP address that points to the outside interface. You then log in with credentials stored in RADIUS server and do the instructions on the screen. Once AnyConnect installs, you then need to put the same address in AnyConnect window and click Connect.

    Limitations

    Currently unsupported on FTD, but available on ASA:

    • FTDposture VPN does not support group policy change through dynamic authorization or RADIUS change of authorization (CoA).

    • AnyConnect customization (Enhancement: Cisco bug ID CSCvq87631)
    • AnyConnect scripts (Enhancement: Cisco bug ID CSCvt58044).
    • AnyConnect localization.
    • WSA integration.
    • Simultaneous IKEv2 dynamic crypto map for RA and L2L VPN (Enhancement: Cisco bug ID CSCvr52047).
    • TACACS, Kerberos - KCD Authentication and RSA SDI (Enhancement: Cisco bug ID CSCvx55859).
    • Browser Proxy.

    Security considerations

    By default, the sysopt connection permit-vpnoption is disabled. This means, that you need to allow the traffic that comes from the pool of addresses on outside interface via Access Control Policy. Although the pre-filter or access-control rule is added to allow VPN traffic only, if clear-text traffic happens to match the rule criteria, it is erroneously permitted.

    There are two approaches to this problem. First, TAC recommended option, is to enable Anti-Spoofing (on ASA it was known as Unicast Reverse Path Forwarding - uRPF) for outside interface, and secondly, is to enable sysopt connection permit-vpn to bypass Snort inspection completely. The first option allows a normal inspection of the traffic that goes to and from VPN users.

    a) Enable uRPF

    • Create a null route for the network used for remote access users, defined in section C. Go to Devices > Device Management > Edit > Routing > Static Route and select Add route

    Select AnyConnect Images

    • Next, enable uRPF on the interface where the VPN connections terminate. To find this, navigate to Devices > Device Management > Edit > Interfaces > Edit > Advanced > Security Configuration > Enable Anti Spoofing

    Edit Physical Interface

    When a user is connected, the 32-bit route is installed for that user in the routing table. Clear the text traffic sourced from the other, unused IP addresses from the pool is dropped by uRFP. To see a description of Anti-Spoofingrefer to Set Security Configuration Parameters on Firepower Threat Defense.

    b) Enable sysopt connection permit-vpn Option

    • There is an option to do it with the wizard or under Devices > VPN > Remote Access > VPN Profile > Access Interfaces.

    Access Control for VPN Traffic

    Related Information

    Revision History

    Revision Publish Date Comments
    4.0
    05-Dec-2023
    Recertification
    3.0
    16-Dec-2022
    Rewrite. Update Formatting. Recertification.
    2.0
    08-Nov-2022
    Updated Formatting and Corrected Spelling Recertification
    1.0
    07-Nov-2017
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Radoslaw Olszowy
      Cisco Technical Consulting Engineer
    • Mario Enrique Solorio Zertuche
      Cisco Project Manager

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products