This document describes how to configure the deploying of Remote Access Virtual Private Network (RA VPN) on Firepower Threat Defense (FTD) managed by the on-box manager Firepower Device Manager (FDM) running version 6.5.0 and above.
Unable to configure FTD via FDM for Anyconnect clients to connect to the external interface while management is opened via the same interface. This is a known limitation of FDM. Enhancement request CSCvm76499has been filed for this issue.
Cisco recommends that you have knowledge of RA VPN configuration on FDM.
FTD registered with the smart licensing portal with Export Controlled Features enabled (in order to allow RA VPN configuration tab to be enabled)
Any of the AnyConnect Licenses enabled (APEX, Plus or VPN-Only)
The information in this document is based on these software and hardware versions:
Cisco FTD running version 6.5.0-115
Cisco AnyConnect Secure Mobility Client version 4.7.01076
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
AnyConnect Client Authentication with the use of Local.
Verify Licensing on the FTD
Step 1. Verify Device is registered to Smart Licensing as shown in the image.
Step 2. Verify that AnyConnect licenses are enabled on the device as shown in the image.
Step 3. Verify that Export-controlled Features is enabled in the token as shown in the image.
Define Protected Networks
Navigate to Objects > Networks > Add new Network. Configure VPN Pool and LAN Networks from FDM GUI. Create a VPN Pool in order to be used for Local Address Assignment to AnyConnect Users as shown in the image.
Create an object for the local network behind the FDM device as shown in the image.
Create Local Users
Navigate to Objects > Users > Add User. Add VPN Local users that will connect to FTD via Anyconnect. Create local Users as shown in the image.
Navigate to Objects > Certificates > Add Internal Certificate. Configure a certificate as shown in the image.
Upload both the certificate and the private key as shown in the image.
The certificate and key can be uploaded by copy and paste or the upload button for each file as shown in the image.
Configure Remote Access VPN
Navigate to Remote Access VPN > Create Connection Profile. Go through the Remote Access VPN Wizard on FDM as shown in the image.
Create a connection profile and start the configuration as shown in the image.
Select the authentication methods as shown in the image. This guide will use Local Authentication.
Select the Anyconnect_Pool object as shown in the image.
On the next page, a summary of the default Group Policy will be displayed. A new group-policy can be created by hitting the drop-down and selecting the option for Create a new Group Policy. For this guide, the default Group Policy will be used. Select the edit option at the top of the policy as shown in the image.
In the group policy, add Split tunnelling so users connected to Anyconnect will only send traffic that is destined to the internal FTD network over the Anyconnect client while all other traffic will go out the user's ISP connection as shown in the image.
On the next page, select the Anyconnect_Certificate added in the certificate section. Then, select the interface the FTD will listen for Anyconnect connections. Select the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn). This is an optional command if sysopt permit-vpn is not selected an access control policy must be created that allows traffic from the Anyconnect clients to access the internal network as shown in the image.
NAT exemption can be configured manually under Policies > NAT or it can be configured automatically by the wizard. Select the inside interface and the networks that Anyconnect clients will need to access as shown in the image.
Select the Anyconnect Package for each operating system (Windows/Mac/Linux) that users will be connecting with as shown in the image.
The Last page gives a summary of the entire configuration. Confirm that the correct parameters have been set and hit the Finish Button and Deploy the new configuration.
Use this section to confirm that your configuration works properly.
Once the configuration is deployed attempt to connect. If you have an FQDN that resolves to the outside IP of the FTD enter it in the Anyconnect connection box. In the example below, the FTD's outside IP address is used. Use the username/password created in the objects section of FDM as shown in the image.
As of FDM 6.5.0 there is no way to monitor the Anyconnect users through the FDM GUI. The only option is to monitor the Anyconnect users via CLI. The CLI console of the FDM GUI can be used as well to verify users are connected.
Show vpn-sessiondb anyconnect
The same command can be run directly from the CLI.
> show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : Anyconnect_User Index : 15 Assigned IP : 192.168.19.1 Public IP : 172.16.100.15 Protocol : AnyConnect-Parent SSL-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 Bytes Tx : 38830 Bytes Rx : 172 Group Policy : DfltGrpPolicy Tunnel Group : Anyconnect Login Time : 01:08:10 UTC Thu Apr 9 2020 Duration : 0h:00m:53s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 000000000000f0005e8e757a Security Grp : none Tunnel Zone : 0
This section provides information you can use to troubleshoot your configuration.
If a user is not able to connect to the FTD using SSL, follow these steps to isolate the SSL negotiation issues:
Verify that the user’s computer can ping the FTD’s outside IP address.
Use an external sniffer to verify whether the TCP three-way handshake is successful.
AnyConnect Client Issues
This section provides guidelines on troubleshooting the two most common AnyConnect VPN client issues and how to troubleshoot them. A guide for troubleshooting the AnyConnect client can be found here: AnyConnect VPN Client Troubleshooting Guide
Initial Connectivity Issues
If a user is having initial connectivity issues, enable debug webvpn anyconnect on the FTD and analyze the debug messages. Debugs must be run on the CLI of the FTD. Use the command debug webvpn anyconnect 255
Collect a DART bundle from the client machine to get the logs from anyconnect. Instructions on how to collect a DART bundle can be found here: Collecting DART bundles
If a connection is successful but traffic is failing over the SSL VPN tunnel, look at the traffic statistics on the client to verify that traffic is being received and transmitted by the client. Detailed client statistics are available in all versions of AnyConnect. If the client shows that traffic is being sent and received, check the FTD for received and transmitted traffic. If the FTD applies a filter, the filter name is shown and you can look at the ACL entries to check whether your traffic is being dropped. Common traffic issues that users experience are:
Routing issues behind the FTD -- internal network unable to route packets back to the assigned IP addresses and VPN clients
Access control lists blocking traffic
Network Address Translation not being bypassed for VPN traffic