Select the Firepower Threat Defense (FTD) device on which you want to define static routes. In the Management pane at the right, click Routing. On the Static Routing page, do one of the following: To add a new static route, click the plus button. Click the edit icon for the route you want to edit. How to configure NSEL (NetFlow) on Cisco Firepower Threat Defense (FTD) using the FlexConfig feature introduced in Firepower Management Center (FMC) software version 6.2 See the attached doc. Note that in a few versions of FTD code, the Flexconfig deployment for NetFlow as given in this document, may fail. This is due to a minor bug. Configure an intrusion policy as you did in step 9, above. Configure logging connection events generated by the Default Action. If you subscribe to Cisco Security Analytics and Logging, you can send events generated by the default action to a Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. From what I could see and verify, the FTD Get Device Configuration and Push Device Configuration features literally copy and apply the whole configuration from a device to another. That includes policies, routing, IP addressing, sub-interfaces, Security Intelligence, pre-filter, DHCP server, DHCP Relay, etc etc.
CDO allows you to add one or more Firepower Threat Defense (FTD) devices to the RA VPN configuration wizard and configure the VPN interfaces, access control, and NAT exemption settings associated with the devices. Therefore, each RA VPN configuration can have connection profiles and group policies shared across multiple FTD devices that are associated with the RA VPN configuration. Further, you can enhance the configuration by creating connection profiles and group policies.
You can either onboard an FTD device that has already been configured with RA VPN settings or a new device without RA VPN settings. When you onboard an FTD device that already has RA VPN settings, CDO automatically creates a 'Default RA VPN Configuration' and associates the FTD device with this configuration. Also, this default configuration can contain all the connection profile objects that are defined on the device.
Important:
- You are not allowed to add ASA and FTD in the same Remote Access VPN Configuration.
- An FTD device can't have more than one RA VPN Configuration.
Prerequisites
Before adding the FTD devices to RA VPN configuration, the following prerequisites must be met:
- Make sure that the FTD devices have the following:
- A valid RA VPN license. For more information, see Licensing Requirements for Remote Access VPN.
- For an FTD version 6.4.0, ensure that a minimum of one AnyConnect software package pre-uploaded to the device. For more information, see Upload AnyConnect Software Packages to Firepower Threat Defense Devices version 6.4.0.
- For an FTD version 6.5.0 and later, you can upload AnyConnect package using CDO. For more information, see Upload AnyConnect Software Packages to Firepower Threat Defense Devices version 6.5.0.
- There are no configuration deployments pending.
- FTD changes are synchronized to CDO.
- In the CDO navigation bar at the left, click Devices & Services and search for one or more FTD devices to be synchronized.
- Select one or more devices and then click Check for changes. CDO communicates with one or more FTD devices to synchronize the changes.
- RA VPN configuration group policy objects are consistent.
- Ensure that all inconsistent group policy objects are resolved as they cannot be added to the RA VPN configuration. Either address the issue or remove inconsistent group policy objects from the Objects page. For more information see, Resolve Duplicate Object Issues and Resolve Inconsistent Object Issues.
- RA VPN group policies of the FTD device match RA VPN configuration group policies.
Procedure
- In the CDO navigation bar at the left, click VPN > Remote Access VPN Configuration.
- Click the blue plus button to create a new RA VPN configuration.
- Enter a name for the Remote Access VPN configuration.
- Click the blue plus button to add FTD devices to the configuration.
You can add the device details and configure network traffic-related permissions that are associated with the device.- Provide the following device details:
- Device: Select an FTD device that you want to add and click Select.
Important: You are not allowed to add ASA and FTD in the same Remote Access VPN Configuration. - Certificate of Device Identity: Select the internal certificate used for establishing the identity of the device. Clients must accept this certificate to complete a secure VPN connection.
If you do not already have a certificate, click Create New Internal Certificate in the drop-down list. See Generating Self-Signed Internal and Internal CA Certificates. - Outside Interface: The interface to which users connect when creating the remote access VPN connection. Although this is normally the outside (internet-facing) interface, choose whichever interface is between the device and the end-users you are supporting with this connection profile. To create a new subinterface, see Configure Firepower VLAN Subinterfaces and 802.1Q Trunking.
- Fully Qualified Domain Name or IP for the Outside Interface: The name of the interface, for example, ravpn.example.com or the IP address must be provided. If you specify a name, the system can create a client profile for you.
Note: You are responsible for ensuring that the DNS servers used in the VPN and by clients can resolve this name to the outside interface's IP address. Add the FQDN to the relevant DNS servers.
- Device: Select an FTD device that you want to add and click Select.
- Click Continue to configure the traffic permissions.
- Bypass Access Control policy for decrypted traffic (sysopt permit-vpn): Decrypted traffic is subjected to Access Control Policy inspection by default. Enabling this option bypasses the decrypted traffic option bypasses the access control policy inspection, but the VPN Filter ACL and the authorization ACL downloaded from the AAA server are still applied to VPN traffic.
Note that if you select this option, the system configures the sysopt connection permit-vpn command, which is a global setting. This will also impact the behavior of site-to-site VPN connections.
If you do not select this option, it might be possible for external users to spoof IP addresses in your remote access VPN address pool, and thus gain access to your network. This can happen because you will need to create access control rules that allow your address pool to have access to internal resources. If you use access control rules, consider using user specifications to control access, rather than source IP address alone.
The downside of selecting this option is that the VPN traffic will not be inspected, which means that intrusion and file protection, URL filtering, or other advanced features will not be applied to the traffic. This also means that no connection events will be generated for the traffic, and thus statistical dashboards will not reflect VPN connections. - NAT Exempt: Enable NAT Exempt to exempt traffic to and from the remote access VPN endpoints from NAT translation. If you do not exempt VPN traffic from NAT, ensure that the existing NAT rules for the outside and inside interfaces do not apply to the RA VPN pool of addresses. NAT exempt rules are manual static identity NAT rules for a given source/destination interface and network combination, but they are not reflected in the NAT policy, they are hidden. If you enable NAT Exempt, you must also configure the following.
- Bypass Access Control policy for decrypted traffic (sysopt permit-vpn): Decrypted traffic is subjected to Access Control Policy inspection by default. Enabling this option bypasses the decrypted traffic option bypasses the access control policy inspection, but the VPN Filter ACL and the authorization ACL downloaded from the AAA server are still applied to VPN traffic.
- Provide the following device details:
- Inside Interfaces: Select the interfaces for the internal networks remote users will be accessing. NAT rules are created for these interfaces.
- Inside Networks: Select the network objects that represent internal networks remote users will be accessing. The networks list must contain the same IP types as the address pools you are supporting.
- Click OK.
- If you have onboarded an FTD version 6.4.0 device, the AnyConnect Packages Detected shows the AnyConnect packages available in the device.
- If you have onboarded an FTD version 6.5.0 or later device, you must add the AnyConnect packages from the server where the AnyConnect packages are pre-uploaded. See Upload AnyConnect Software Packages to an FTD Version 6.5.0 for instructions.
- Click OK. The device is added to the configuration.
Configure Ftd High Availability
Note:
Select a configuration and under Actions, click the appropriate action:
- Group Policies to add or remove group policies.
- Click + to select the required group policies.
To create a new RA VPN group policy, see Create New RA VPN Group Policies.
- Click + to select the required group policies.
- Remove to delete the selected RA VPN configuration.
Modify RA VPN Configuration
You can modify the name and the device details of an existing RA VPN configuration.
- Select the configuration to be modified and under Actions, click Edit.
- Modify the name if required.
- Click the blue plus button to add a new device
- Click to perform the following on the FTD device.
- Click Edit to modify the existing RA VPN configuration.
- Click Remove to remove the FTD device from the RA VPN configuration. All connection profiles and RA VPN settings associated with that device except the group policies are deleted. You can remove the group policies explicitly from the objects page.
Note: You cannot remove the FTD if that is the only device using the configuration. Alternatively, you can remove the RA VPN configuration.
Configure Ftd Ha
You can also search for remote access VPN configuration by typing the name of the configuration or device.
Configure Ftd For Fmc
Related Topics
- Configure an RA VPN Connection Profile.
- Review and deploy configuration changes to the devices.
- Allow Traffic Through the Remote Access VPN.