Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2846
Views
5
Helpful
3
Replies

Any Connect VPN

Learnercisco
Level 1
Level 1

‎10-04-2020 01:02 AM - edited ‎10-04-2020 01:02 AM

Hi Tech guys,

 

in my Internet edge deployment, My FTD (21110) is behind the ASR1000 Router(Internet Gateway). I want to allow  any connect vpn clients to establish vpn connection to  FTD  via NAT Configured on ASR1000. From the Firewall perspective, Is there any Special configuration on firepower  e.g related to NAT/PAT to access the Local LAN subnets from Internet?  Any connection VPN configurations will be done FTD. 

 

 

Thanks in advance 

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎10-04-2020 01:06 AM

Steps :

 

1. You need NAT on ASR 1000 Public to PrivateIP ( allocated on FTD)

2. follow below guide to RAVPN

 

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

 

3. You need to have ACP/ ACL should be in place what resouce required access for the VPN subnet.

 

Hope make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Learnercisco
Level 1
Level 1
In response to balaji.bandi

‎10-04-2020 01:33 AM

thanks balaje for your reply,

 

1. You need NAT on ASR 1000 Public to PrivateIP ( allocated on FTD)

     The NAT ACL on ASR1K will include the FTD Outside IP address which makes sense.

 

2. follow below guide to RAVPN

 

I have FMC ,The concept will be the same.  

 

3. You need to have ACP/ ACL should be in place what resouce required access for the VPN subnet.

  Yes Correct. Access to Service VLAN in DMZ. 

 

SSL Certificate 

we can generate Self signed certificated and map this certificate to our domain (e.g vpn.cisco.com) on the FTD, as its shown in the guide.

 

Thanks in advance. 

 

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-04-2020 05:40 AM

SSL Certificate 

we can generate Self signed certificated and map this certificate to our domain (e.g vpn.cisco.com) on the FTD, as its shown in the guide.

 

BB - if this is external i would advise CA authority to sign. ( like Godaddy or DigiCert)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card