I have an FTD 6.3 on Firepower 4110. It is configured in routed mode with "the usual" configuration: outside, inside, DMZ, and serverfarm interfaces/zones with traffic allowed out but not in. I also have AnyConnect services for remote access VPN services.
The Main Difference is that in the outside interface I have 10.x.x.1 private ip address. Firepower direcly connected Cisco 6509 via point to point connection. Provider reserved 82.y.y.0/29 pubic IP addresses and via static routing send them to 10.x.x1.
I configured static, dynamic etc NAT's for our needs. They work well.
My main difficulty with Anyconnect VPN. From Provider network I can connect to 10.x.x1 private IP via Anyconnect. there is no problem with this. But from the Internet, I can't connect to VPN. because there is no public IP address on the outside interface.
Could you help me to correctly configure AnyVPN nat rule and Access policy in this situation?
You would need to configure port forwarding on the 6509. Easiest would be to have a dedicated public IP for AnyConnect, but if you cannot do that, then forware ports tcp/443 and udp/443 to 10.x.x.1.
Is feasible for you to change your design and assign the public subnet directly to FTD's outside interface?
In this way you should be able to use remote access VPN without any kind of problem.
You would not necessarily need the public IP on the 6509, you could just trunk a VLAN straight through to the ISP / next hop router. another option would be to assign a private IP to the ASA, and then rout that to a VRF on the 6509 that is just for internet and place the public IP and the newly created private IP in that VRF. Then route all traffic to the ASA and have a default route pointing out the newly created interface IP.