Users today are increasingly working remotely, and they need the ability to access local network resources from the HQ or a branch office. In the late 1990s, the IETF formed the IP Security Working Group, which was charged with making the IPsec framework possible. After IPsec was ratified by the working group, an HQ and many branch offices could connect together using a secure tunnel utilizing the IPsec framework.
But if you wanted to connect remote users who traveled from state to state or country to country, it was very difficult because you would need to lug around a router in a suitcase. So, a software solution was created to run a remote access VPN client program that would allow a computer running a popular operating system to create an IPsec VPN tunnel. As time went on, SSL/TLS was supported as a tunnel method to secure data from a remote access VPN client. Remote access VPN opened up many possibilities of remote work around the world.
The Cisco Adaptive Security Appliance (ASA) has been used for years to deliver a reliable VPN concentration device that allows users to access HQ or branch office resources no matter where the user is located. However, Cisco Secure Firewall, using Firewall Threat Defense, will soon replace ASA. Consequently, it will become important to understand how to configure, troubleshoot, and deploy a remote access VPN on this device.
The remote access VPN client formerly was called Cisco AnyConnect Secure Mobility Client, but starting with version 5.x, it was renamed Cisco Secure Client.
Cisco Secure Client supports VPN but has grown to also support other technologies that can be added as modules.
Current modules:
As you can see, the client look and feel did not change much. All the user needed to do was type in the fully qualified domain name (FQDN) of the Secure Firewall Threat Defense outside interface or public IP where the remote access VPN was configured, and the remote access VPN client would ask for a username and password. This username could be locally configured on Secure Firewall Management Center and applied to the Threat Defense device, or other supported databases could be used like a RADIUS server. Based on the remote access VPN policy, the user would get limited or unlimited access to the remote network.
When configuring a remote access VPN on Secure Firewall Management Center, the administrator needs to prepare by configuring the following:
Note: Using a self-signed certificate in a production remote access deployment is not recommended.
On Secure Firewall Management Center, navigate to Objects > AAA Server > RADIUS Server Group. Click the Add RADIUS Server Group button.
Give the RADIUS server group a name, and enable dynamic authorization.
Note: Dynamic authorization is not required to be enabled, but it will allow the ISE server to enforce stricter policies later.
Scroll to the bottom of Add RADIUS Server Group, and click the + button to add the ISE connection information.
Add the IP or FQDN of the ISE server add the key, and then select which interface on Firewall Threat Defense to send the RADIUS request from. Click Save. This interface needs to be on the path where the ISE server is located.
On Secure Firewall Management Center, navigate to VPN > Secure Client File. Click the Add Secure Client File button.
Give the secure client file a name, select a Cisco Secure Client PKG file, choose Secure Client Image as the File Type, and click Save.
On Secure Firewall Management Center, navigate to Address Pools > IPv4 Pools. Click the Add IPv4 Pools button.
Give the IPv4 pool a name, add an IPv4 address range and subnet mask, and then click Save.
On Secure Firewall Management Center, navigate to Devices > Certificates.
From Add New Certificate, select the Firewall Threat Defense device to add the certificate, and click the + button to enroll a new certificate.
From Add Cert Enrollment, add a name, and then select the CA Information tab. In the Enrollment Type field, choose the Self Signed Certificate option. For Validation Usage, select IPsec and SSL Client.
Select the Certificate Parameters tab, and choose Custom FQDN in the Include FQDN field. In the Custom FQDN field, enter the FQDN of the interface where the remote access termination will be done; in this case, we will be using the outside interface. Fill out the rest of the information on the form.
Note: The names in the Custom FQDN and Common Name (CN) fields need to be the same and must resolve to the IP of the outside interface.
Apply the certificate that was created to Firewall Threat Defense, and then click Add.
On Secure Firewall Management Center, navigate to Devices > Remote Access.
On the right-hand side, click the Add button, which will open the Remote Access VPN Configuration Wizard.
For the remote access policy, select the VPN protocols that are going to be used for termination and the Firewall Threat Defense device that is going to be applied, and then click Next.
In the Authentication Method field, select AAA Only, and in the Authentication, Authorization, and Accounting fields, select the ISE server. In the IPv4 Address Pools field, select the remote access VPN pool.
On the bottom of the remote access pool, there is a group policy selection menu; the default should be selected already. If you want to create a custom policy, click the Edit Group Policy link, and then click Next.
From the Secure Client Image menu, select the image or images that need to be deployed, and click Next.
In the Interface group/Security Zone field, select the outside interface, and in the Certificate Enrollment field, select the self-signed certificate.
On the bottom, under Access Control for VPN Traffic, it is recommended to use the sysopt-permit-vpn option. This option will allow VPN traffic to pass without requiring an access control policy (ACP) to be created. Click Next.
In this final step, you can verify all the settings that you selected for your policy. When you are done, click Finish.
After you have completed the configuration, click the Deploy button to deploy the policy to the Secure Firewall Threat Defense device.
Once connected, the administrator can use the show vpn-sessiondb anyconnect
command to verify the connection:
ciscoasa# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : vpnuser Index : 526062
Assigned IP : 10.10.10.10 Public IP : 72.15.34.26
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 168926 Bytes Rx : 41720
Group Policy : DfltGrpPolicy Tunnel Group : Remote_Access_Policy
Login Time : 10:14:09 UTC Wed Oct 4 2023
Duration : 0h:02m:10s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a8c808dd6ee000651db6ed
Security Grp : none
As you can see, the group policy and tunnel group policy were applied to the VPN tunnel connection.
The show conn | inc 10.10.10.10
command will show you the action connection that your VPN client pool has:
ciscoasa# show conn | inc 10.10.10.10
TCP outside 76.25.19.21(10.10.10.10):63733 outside 44.230.79.122:443, idle 0:00:08, bytes 10962, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63765 outside 104.254.148.252:443, idle 0:00:00, bytes 4620, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63771 outside 18.155.184.56:443, idle 0:00:00, bytes 17805, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63755 outside 104.122.28.169:443, idle 0:00:00, bytes 52961, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63741 outside 151.101.3.5:443, idle 0:00:00, bytes 381642, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63729 outside 17.248.192.2:443, idle 0:00:10, bytes 14606, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63769 outside 151.101.1.67:443, idle 0:00:01, bytes 50100, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63743 outside 104.26.7.139:443, idle 0:00:06, bytes 12245, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63750 outside 151.101.131.5:443, idle 0:00:00, bytes 125346, flags UxIOB
TCP outside 76.25.19.21(10.10.10.10):63767 outside 108.138.246.118:443, idle 0:00:01, bytes 6794, flags UfFRxIOB
TCP outside 76.25.19.21(10.10.10.10):63766 outside 18.244.214.80:443, idle 0:00:00, bytes 7048, flags UxIOB
Note:
76.25.19.21
is the IP on the outside interface that the pool is using.
Why Create a Free Cisco U. Account?
A Cisco U. account helps you:
Personalize training: Set your learning goals and pace.
Track progress: Monitor your achievements and learning milestones.
Resume anytime: Continue your learning exactly where you stopped.
To ask questions and share ideas, join our Cisco Learning Community.
For technical issues, feedback, or more resources, visit our Cisco U. Support page.
Don’t forget to click Exit Tutorial to log your completed content.