/1f4e4aa6d2344b159f9127c94d8ae9c2/image.png)
How to connect to FTD?
How to create a null route for remote access?
What certificates are needed for AnyConnect?
What version of VPN is Firepower Threat Defense?
How to get a certificate for FTD appliance?
Can VPN traffic come from pool?
Does FTD need LDAP?
See 4 more
About this website
AnyConnect with FTD and certificate-based authentication
@Chess_N . Your certificate trustpoints do not look correct. Create a trustpoint that includes the identity and CA certificate. Create a certificate enrollment (Objects > PKI > Cert Enrollment), select Enrollment Type as Manual.
Configure Anyconnect Vpn Client On Ftd
3. Select IPv4, right-click on it and select New Scope€as shown in the image. 4. Follow the Wizard€as shown in the image.
How to connect to FTD?
To connect to FTD you need to open a browser, type DNS name or IP address pointing to the outside interface, in this example https://vpn.cisco.com. You will then have to login using credentials stored in RADIUS server and follow instructions on the screen. Once AnyConnect installs, you then need to put the same address in AnyConnect window and click Connect.
How to create a null route for remote access?
create a null route for network used for remote access users, defined in section c. Just go to Devices > Device Management > Edit > Routing > Static Route > Add route:
What certificates are needed for AnyConnect?
Certificates are essential when you configure AnyConnect. Only RSA based certificates are supported in SSL and IPSec. Elliptic Curve Digital Signature Algorithm certificates (ECDSA) are supported in IPSec, but it's not possible to deploy new AnyConnect package or XML profile when ECDSA based certificate is used. It means that you can use it for IPSec, but you will have to predeploy AnyConnect package and XML profile to every user and any change in XML profile will have to be manually reflected on each client (bug: CSCtx42595 ). Additionally the certificate should have Subject Alternative Name extension with DNS name and/or IP address to avoid errors in web browsers.
What version of VPN is Firepower Threat Defense?
This document provides a configuration example for Firepower Threat Defense (FTD) version 6.2.2 and later, that allows remote access VPN to use Transport Layer Security (TLS) and Internet Key Exchange version 2 (IKEv2). As a client, Cisco AnyConnect will be used, which is supported on multiple platforms.
How to get a certificate for FTD appliance?
There are several methods to obtain a certificate on FTD appliance, but the safe and easy one is to create a Certificate Signing Request (CSR), sign it and then import certificate issued for public key, which was in CSR. Here is how to do that:
Can VPN traffic come from pool?
This means, that you need to allow traffic coming from pool of addresses on outside interface via Access Control Policy. Although the pre-filter or access-control rule is added intending to allow VPN traffic only, if clear-text traffic happens to match the rule criteria, it is erroneously permitted.
Does FTD need LDAP?
On FTD platftorm, local user database cannot be used, so you need RADIUS or LDAP server for user authentication. To configure RADIUS:
How to connect to FTD?
To connect to FTD you need to open a browser, type DNS name or IP address pointing to the outside interface, in this example https://vpn.cisco.com. You will then have to login using credentials stored in RADIUS server and follow instructions on the screen. Once AnyConnect installs, you then need to put the same address in AnyConnect window and click Connect.
How to create a null route for remote access?
create a null route for network used for remote access users, defined in section c. Just go to Devices > Device Management > Edit > Routing > Static Route > Add route:
What certificates are needed for AnyConnect?
Certificates are essential when you configure AnyConnect. Only RSA based certificates are supported in SSL and IPSec. Elliptic Curve Digital Signature Algorithm certificates (ECDSA) are supported in IPSec, but it's not possible to deploy new AnyConnect package or XML profile when ECDSA based certificate is used. It means that you can use it for IPSec, but you will have to predeploy AnyConnect package and XML profile to every user and any change in XML profile will have to be manually reflected on each client (bug: CSCtx42595 ). Additionally the certificate should have Subject Alternative Name extension with DNS name and/or IP address to avoid errors in web browsers.
What version of VPN is Firepower Threat Defense?
This document provides a configuration example for Firepower Threat Defense (FTD) version 6.2.2 and later, that allows remote access VPN to use Transport Layer Security (TLS) and Internet Key Exchange version 2 (IKEv2). As a client, Cisco AnyConnect will be used, which is supported on multiple platforms.
How to get a certificate for FTD appliance?
There are several methods to obtain a certificate on FTD appliance, but the safe and easy one is to create a Certificate Signing Request (CSR), sign it and then import certificate issued for public key, which was in CSR. Here is how to do that:
Can VPN traffic come from pool?
This means, that you need to allow traffic coming from pool of addresses on outside interface via Access Control Policy. Although the pre-filter or access-control rule is added intending to allow VPN traffic only, if clear-text traffic happens to match the rule criteria, it is erroneously permitted.
Does FTD need LDAP?
On FTD platftorm, local user database cannot be used, so you need RADIUS or LDAP server for user authentication. To configure RADIUS: