https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161192#M1074398 <P>Hi Tech guys,</P><P>&nbsp;</P><P>in my Internet edge deployment, My FTD (21110) is behind the ASR1000 Router(Internet Gateway). I want to allow&nbsp; any connect vpn clients to establish vpn connection to&nbsp; FTD&nbsp; via NAT Configured on ASR1000. From the Firewall perspective, Is there any Special configuration on firepower&nbsp; e.g related to NAT/PAT to access the Local LAN subnets from Internet?&nbsp; Any connection VPN configurations will be done FTD.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks in advance&nbsp;</P> Sun, 04 Oct 2020 08:02:55 GMT Learnercisco 2020-10-04T08:02:55Z https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161192#M1074398 <P>Hi Tech guys,</P><P>&nbsp;</P><P>in my Internet edge deployment, My FTD (21110) is behind the ASR1000 Router(Internet Gateway). I want to allow&nbsp; any connect vpn clients to establish vpn connection to&nbsp; FTD&nbsp; via NAT Configured on ASR1000. From the Firewall perspective, Is there any Special configuration on firepower&nbsp; e.g related to NAT/PAT to access the Local LAN subnets from Internet?&nbsp; Any connection VPN configurations will be done FTD.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks in advance&nbsp;</P> Sun, 04 Oct 2020 08:02:55 GMT https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161192#M1074398 Learnercisco 2020-10-04T08:02:55Z https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161193#M1074399 <P>Steps :</P> <P>&nbsp;</P> <P>1. You need NAT on ASR 1000 Public to PrivateIP ( allocated on FTD)</P> <P>2. follow below guide to RAVPN</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html</A></P> <P>&nbsp;</P> <P>3. You need to have ACP/ ACL should be in place what resouce required access for the VPN subnet.</P> <P>&nbsp;</P> <P>Hope make sense ?</P> <P>&nbsp;</P> Sun, 04 Oct 2020 08:06:47 GMT https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161193#M1074399 balaji.bandi 2020-10-04T08:06:47Z https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161198#M1074400 <P>thanks balaje for your reply,</P><P>&nbsp;</P><P><SPAN>1.<STRONG> You need NAT on ASR 1000 Public to PrivateIP ( allocated on FTD)</STRONG></SPAN></P><P><SPAN>&nbsp; &nbsp; &nbsp;The NAT ACL on ASR1K will include the FTD Outside IP address which makes sense.</SPAN></P><P>&nbsp;</P><P><STRONG>2. follow below guide to RAVPN</STRONG></P><P>&nbsp;</P><P><SPAN>I have FMC ,The concept will be the same.&nbsp;&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>3. <STRONG>You need to have ACP/ ACL should be in place what resouce required access for the VPN subnet.</STRONG></SPAN></P><P>&nbsp; Yes Correct. Access to Service VLAN in DMZ.&nbsp;</P><P>&nbsp;</P><P><STRONG>SSL Certificate&nbsp;</STRONG></P><P><SPAN>we can generate Self signed certificated and map this certificate to our domain (e.g vpn.cisco.com) on the FTD, as its shown in the guide.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks in advance.&nbsp;</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P> Sun, 04 Oct 2020 08:33:06 GMT https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161198#M1074400 Learnercisco 2020-10-04T08:33:06Z https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161233#M1074409 <P><STRONG>SSL Certificate&nbsp;</STRONG></P> <P><SPAN>we can generate Self signed certificated and map this certificate to our domain (e.g vpn.cisco.com) on the FTD, as its shown in the guide.</SPAN></P> <P>&nbsp;</P> <P><SPAN>BB - if this is external i would advise CA authority to sign. ( like Godaddy or DigiCert)</SPAN></P> Sun, 04 Oct 2020 12:40:08 GMT https://community.cisco.com/t5/network-security/any-connect-vpn/m-p/4161233#M1074409 balaji.bandi 2020-10-04T12:40:08Z