What You’ll Learn

What You’ll Need

Users today are increasingly working remotely, and they need the ability to access local network resources from the HQ or a branch office. In the late 1990s, the IETF formed the IP Security Working Group, which was charged with making the IPsec framework possible. After IPsec was ratified by the working group, an HQ and many branch offices could connect together using a secure tunnel utilizing the IPsec framework.

But if you wanted to connect remote users who traveled from state to state or country to country, it was very difficult because you would need to lug around a router in a suitcase. So, a software solution was created to run a remote access VPN client program that would allow a computer running a popular operating system to create an IPsec VPN tunnel. As time went on, SSL/TLS was supported as a tunnel method to secure data from a remote access VPN client. Remote access VPN opened up many possibilities of remote work around the world.

The Cisco Adaptive Security Appliance (ASA) has been used for years to deliver a reliable VPN concentration device that allows users to access HQ or branch office resources no matter where the user is located. However, Cisco Secure Firewall, using Firewall Threat Defense, will soon replace ASA. Consequently, it will become important to understand how to configure, troubleshoot, and deploy a remote access VPN on this device.

img.avif

The remote access VPN client formerly was called Cisco AnyConnect Secure Mobility Client, but starting with version 5.x, it was renamed Cisco Secure Client.

Cisco Secure Client supports VPN but has grown to also support other technologies that can be added as modules.

Current modules:

img.avif

As you can see, the client look and feel did not change much. All the user needed to do was type in the fully qualified domain name (FQDN) of the Secure Firewall Threat Defense outside interface or public IP where the remote access VPN was configured, and the remote access VPN client would ask for a username and password. This username could be locally configured on Secure Firewall Management Center and applied to the Threat Defense device, or other supported databases could be used like a RADIUS server. Based on the remote access VPN policy, the user would get limited or unlimited access to the remote network.

When configuring a remote access VPN on Secure Firewall Management Center, the administrator needs to prepare by configuring the following:

Note: Using a self-signed certificate in a production remote access deployment is not recommended.

AAA Server or Local Database

On Secure Firewall Management Center, navigate to Objects > AAA Server > RADIUS Server Group. Click the Add RADIUS Server Group button.

img.avif

Give the RADIUS server group a name, and enable dynamic authorization.

img.avif

Note: Dynamic authorization is not required to be enabled, but it will allow the ISE server to enforce stricter policies later.

Scroll to the bottom of Add RADIUS Server Group, and click the + button to add the ISE connection information.

img.avif

Add the IP or FQDN of the ISE server add the key, and then select which interface on Firewall Threat Defense to send the RADIUS request from. Click Save. This interface needs to be on the path where the ISE server is located.

img.avif

Upload a Secure Client File

On Secure Firewall Management Center, navigate to VPN > Secure Client File. Click the Add Secure Client File button.

img.avif

Give the secure client file a name, select a Cisco Secure Client PKG file, choose Secure Client Image as the File Type, and click Save.

img.avif

IP Pool for the VPN Clients

On Secure Firewall Management Center, navigate to Address Pools > IPv4 Pools. Click the Add IPv4 Pools button.

img.avif

Give the IPv4 pool a name, add an IPv4 address range and subnet mask, and then click Save.

img.avif

Self-Signed Certificate

On Secure Firewall Management Center, navigate to Devices > Certificates.

img.avif

From Add New Certificate, select the Firewall Threat Defense device to add the certificate, and click the + button to enroll a new certificate.

img.avif

From Add Cert Enrollment, add a name, and then select the CA Information tab. In the Enrollment Type field, choose the Self Signed Certificate option. For Validation Usage, select IPsec and SSL Client.

img.avif

Select the Certificate Parameters tab, and choose Custom FQDN in the Include FQDN field. In the Custom FQDN field, enter the FQDN of the interface where the remote access termination will be done; in this case, we will be using the outside interface. Fill out the rest of the information on the form.

img.avif

Note: The names in the Custom FQDN and Common Name (CN) fields need to be the same and must resolve to the IP of the outside interface.

Apply the certificate that was created to Firewall Threat Defense, and then click Add.

img.avif

Remote Access VPN Policy

On Secure Firewall Management Center, navigate to Devices > Remote Access.

img.avif

On the right-hand side, click the Add button, which will open the Remote Access VPN Configuration Wizard.

img.avif

For the remote access policy, select the VPN protocols that are going to be used for termination and the Firewall Threat Defense device that is going to be applied, and then click Next.

img.avif

In the Authentication Method field, select AAA Only, and in the Authentication, Authorization, and Accounting fields, select the ISE server. In the IPv4 Address Pools field, select the remote access VPN pool.

img.avif

On the bottom of the remote access pool, there is a group policy selection menu; the default should be selected already. If you want to create a custom policy, click the Edit Group Policy link, and then click Next.

img.avif

From the Secure Client Image menu, select the image or images that need to be deployed, and click Next.

img.avif

In the Interface group/Security Zone field, select the outside interface, and in the Certificate Enrollment field, select the self-signed certificate.

On the bottom, under Access Control for VPN Traffic, it is recommended to use the sysopt-permit-vpn option. This option will allow VPN traffic to pass without requiring an access control policy (ACP) to be created. Click Next.

img.avif

In this final step, you can verify all the settings that you selected for your policy. When you are done, click Finish.

img.avif

Deployment of Remote Access VPN Policy

After you have completed the configuration, click the Deploy button to deploy the policy to the Secure Firewall Threat Defense device.

img.avif

Once connected, the administrator can use the show vpn-sessiondb anyconnect command to verify the connection:

ciscoasa# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : vpnuser                  Index        : 526062
Assigned IP  : 10.10.10.10           Public IP    : 72.15.34.26
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Bytes Tx     : 168926                 Bytes Rx     : 41720
Group Policy : DfltGrpPolicy         Tunnel Group : Remote_Access_Policy
Login Time   : 10:14:09 UTC Wed Oct 4 2023
Duration     : 0h:02m:10s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a8c808dd6ee000651db6ed
Security Grp : none

As you can see, the group policy and tunnel group policy were applied to the VPN tunnel connection.

The show conn | inc 10.10.10.10 command will show you the action connection that your VPN client pool has:

ciscoasa# show conn | inc 10.10.10.10
TCP outside  76.25.19.21(10.10.10.10):63733 outside  44.230.79.122:443, idle 0:00:08, bytes 10962, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63765 outside  104.254.148.252:443, idle 0:00:00, bytes 4620, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63771 outside  18.155.184.56:443, idle 0:00:00, bytes 17805, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63755 outside  104.122.28.169:443, idle 0:00:00, bytes 52961, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63741 outside  151.101.3.5:443, idle 0:00:00, bytes 381642, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63729 outside  17.248.192.2:443, idle 0:00:10, bytes 14606, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63769 outside  151.101.1.67:443, idle 0:00:01, bytes 50100, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63743 outside  104.26.7.139:443, idle 0:00:06, bytes 12245, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63750 outside  151.101.131.5:443, idle 0:00:00, bytes 125346, flags UxIOB
TCP outside  76.25.19.21(10.10.10.10):63767 outside  108.138.246.118:443, idle 0:00:01, bytes 6794, flags UfFRxIOB
TCP outside  76.25.19.21(10.10.10.10):63766 outside  18.244.214.80:443, idle 0:00:00, bytes 7048, flags UxIOB

Note: 76.25.19.21 is the IP on the outside interface that the pool is using.

Learn More

Why Create a Free Cisco U. Account?

A Cisco U. account helps you:

Need Help or Want to Engage?

Finishing Up

Don’t forget to click Exit Tutorial to log your completed content.