Cisco Secure Firewall Threat Defense supports both SSL and IPsec-IKEv2 VPNs to provide secure remote access. The Cisco Secure Client enables remote users to establish protected SSL or IPsec-IKEv2 connections to the security gateway.
When negotiating an SSL VPN session with Secure Firewall Threat Defense, the client uses either Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) for encrypted communication. DTLS serves as the primary tunnel for SSL VPN connections, while TLS is used as a fallback whenever DTLS (UDP/443) is unavailable or blocked. In addition to SSL-based tunnels, remote users can also establish secure IPsec-IKEv2 VPN connections, providing an alternative transport method when IPsec is preferred or required.
This post represents the basic configuration of an FTD Remote Access VPN.
Software
The information in this post is based on software versions: –
- Cisco FMC version 7.6.2
- Cisco FTD version 7.6.2
Configuration
Certificates
- Navigate to Objects > PKI > Cert Enrollment
- Click Add Cert Enrollment
- Enter an appropriate name, i.e., RAVPN
- From the Enrollment Type drop-down menu select Manual
- Paste the CA Certificate into the relevant box
NOTE – if the CA certificate is not available yet, ignore this step and create another Cert Enrollment and select CA Only later.
- Click Certificate Parameters
- Enter the relevant certificate parameters
- Click Save
- Navigate to Devices > Certificates
- Click Add Certificates
- From the Device drop-down menu, select the managed device
- From the Cert Enrollment drop-down menu, select the previously created Cert Enrollment.
- Click Add
- Click ID icon next to Identity certificate import required to generate a Certificate Signing Request (CSR).
- Copy the Certificate Signing Request and get this signed by a Certificate Authority.
- Click Cancel whilst you wait for the signed identity certificate to be processed.
- To import the signed identity certificate, click
- Click Browse Identity Certificate and select the certificate file.
- Click Import
- Check the Status of the CA and ID certificates.
IP Pool
- Navigate to Objects > Object Management > Address Pools
- Click IPv4 Pools
- Click Add IPv4 Pools
- Enter an appropriate Name and define the IPv4 Address Range and Mask
- Click Save
Realm
Authentication methods to the Remote Access VPN can include, AAA using RADIUS, LDAP or Active Directory authentication, certificates, SAML or multiple methods.
In this scenario, Active Directory authentication will be utilised, refer to this post to create an AD Realm.
Access Control Policy
Communication over the Remote Access VPN tunnel should be controlled in the Access Control Policy.
- Navigate to Policies > Access Control and edit the relevant policy
- Click Add Rule add the appropriate rules for communication.
Remote Access VPN
- Navigate to Devices > Remote Access
- Click Add a new configuration to start the Remote Access VPN wizard
- Enter an appropriate Name
- Select the VPN Protocols (amend if required)
- Select the Targeted Devices and Click Add
- Select the Authentication Method as AAA Only
- From the Authentication Server drop-down menu, select the AD Realm
- Edit the IPv4 Address Pool and select the pre-configured address pool.
- Click Ok
- Click Next
- Upload the Secure Client image for each Operating System requiring connecting to the VPN.
- Click Next
- From the Interface group/Security Zone drop-down menu, select the external network interface for incoming VPN access
- From the Certificate Enrollment drop-down menu, select the pre-configured Cert Enrollment.
- Click Next
- Click Finish
The basic Remote Access VPN connection profile is now setup, and the updated configuration can be deployed to the FTD.
- Click Deploy
Verification
From a workstation open the Cisco Secure Client and connect to the VPN.
From the FMC navigate to Overview > Dashboards > Remote Access VPN to view active sessions
From the CLI of the FTD run the command show vpn-sessiondb summary will provide a summary of all VPN connections.
> show vpn-sessiondb summary --------------------------------------------------------------------------- VPN Session Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concur : Inactive ---------------------------------------------- AnyConnect Client : 1 : 1 : 1 : 0 SSL/TLS/DTLS : 1 : 1 : 1 : 0 --------------------------------------------------------------------------- Total Active and Inactive : 1 Total Cumulative : 1 Device Total VPN Capacity : 250 Device Load : 0% ---------------------------------------------------------------------------
Run the command show vpn-sessiondb anyconnect this will reveal information on the individual Remote Access VPN connections.
> show vpn-sessiondb anyconnect Session Type: AnyConnect Username : user1 Index : 1 Assigned IP : 192.168.21.1 Public IP : 192.168.20.100 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-128 DTLS-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA384 Bytes Tx : 1254992191 Bytes Rx : 52577846 Group Policy : DfltGrpPolicy Tunnel Group : RAVPN Login Time : 11:34:05 UTC Sat Dec 6 2025 Duration : 3h:06m:54s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0101010100001000693414ad Security Grp : none Tunnel Zone : 0