Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
116
Views
0
Helpful
4
Replies

Configuring Cisco AnyConnect 5.1 on Firepower 1010 NGFW

Go to solution
doralex2003
Level 1
Level 1

‎01-28-2025 02:36 AM

Hello, I want to configure AnyConnect 5.1 on a Firepower 1010 NGFW router (not ASA) and I have a few questions before I start configuring:

1. Does the router have to be directly connected to the internet and have a public IP, or can I configure it behind another router that gives me a private IP 192.168.x.x?

2. Can I configure AnyConnect 5.1 without a RADIUS or LDAP server? I don't have one and I want the users to be local on the router. (internal authentication).

3. If I use AAA authentication, will it ask each client for a USER and PASSWORD when authenticating? What if I use AAA plus Certificate?

4. If I use certificate-only authentication, do I have to create a certificate for each user? Does it work with Self Signed Certificate?

5. which of these 2 software is loaded on the router and which is installed on the client stations:

- Cisco Secure Client Pre-Deployment Package (Windows) - includes individual MSI files

- Cisco Secure Client Headend Deployment Package (Windows)

6. do I need other software, applications from the cisco.com website to be able to configure AnyConnect 5.1?

7. what is the fastest but also the most secure authentication method considering that I want to access a SQL server with 30-40 databases (company accounting) each of 500MB - 1GB in size?

I am an economist-accountant, not an IT expert and I do not know many technical details. In the past I configured an IPSec IKEv1 PSK VPN on an RV160W router that I still use today, but I wanted to switch to something more secure Firepower 1010 NGFW.

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-28-2025 02:47 AM

@doralex2003 

1. no it doesn't need to be directly connected, you obviously have to have NAT configured on the routers in front of the FTD.

2. Yes you can use the local user database.

3. It will ask for username/password if using "AAA" (RADIUS or local database). If you just use a certificate then it will not prompt for authentication (assuming the certificate is valid).

4. Yes you would need to have either a unique user certificate or computer certificate. Use Windows GPO to distribute certificates to the users or computers (assuming you have an AD domain). Else you could create a CA on Linux to distribute user certificates.

5. The pre-deployment package can be used to install the client on the Windows computers. You need to upload the windows headend package to the FTD. If you are using other OS, i.e. MacOS or Linux then you must upload those headend packages to the FTD in order to connect.

6. You may wish to download the Secure Client Profile Editor to create an XML profile to pre-configure the settings for the VPN.

7. Using AAA + certificiates is secure, else use MFA such as Cisco Duo, which would be the most secure, but costs more money. https://duo.com/

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎01-28-2025 02:47 AM

@doralex2003 

1. no it doesn't need to be directly connected, you obviously have to have NAT configured on the routers in front of the FTD.

2. Yes you can use the local user database.

3. It will ask for username/password if using "AAA" (RADIUS or local database). If you just use a certificate then it will not prompt for authentication (assuming the certificate is valid).

4. Yes you would need to have either a unique user certificate or computer certificate. Use Windows GPO to distribute certificates to the users or computers (assuming you have an AD domain). Else you could create a CA on Linux to distribute user certificates.

5. The pre-deployment package can be used to install the client on the Windows computers. You need to upload the windows headend package to the FTD. If you are using other OS, i.e. MacOS or Linux then you must upload those headend packages to the FTD in order to connect.

6. You may wish to download the Secure Client Profile Editor to create an XML profile to pre-configure the settings for the VPN.

7. Using AAA + certificiates is secure, else use MFA such as Cisco Duo, which would be the most secure, but costs more money. https://duo.com/

 

0 Helpful

Go to solution
doralex2003
Level 1
Level 1
In response to Rob Ingram

‎01-28-2025 02:58 AM

at point 4 I have a question:

I don't have an AD domain.

I saw that I can create self-signed certificates directly from the router signed by the router's Internal CA, are those not good for VPN?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to doralex2003

‎01-28-2025 03:50 AM

@doralex2003 you could you a certificate issued by the router's Internal CA, you'd have to create the certificate on the router and export it, then import it to the relevant computer. It's not a straight forward process though tbh.

This linux example might be more straight forward - https://integratingit.wordpress.com/2019/01/14/openssl-ca-for-vpn-authentication/

 

0 Helpful

Go to solution
doralex2003
Level 1
Level 1
In response to Rob Ingram

‎01-28-2025 04:49 AM

as I mentioned, I'm an economist, not an IT guy, simple solutions that don't involve CLI are suitable for me.

0 Helpful
Customers Also Viewed These Support Documents