Configuring AnyConnect Remote Access VPN on Cisco FTD
Cisco ASA’s have been a part of Cisco’s security product lineup since 2005 replacing the older PIX firewalls. Over the more recent years, Cisco has really focused a great deal on security adding more and more solutions for different portions of the network. One of the newer security solutions was brought in with the acquisition of SourceFire from back in 2013. SourceFire, at the time of the acquisition, was one of the top leading Intrusion Prevention solutions on the market. Shortly after that acquisition, what was previously known as Sourcefire, received a name change to Cisco FirePOWER, then to then FirePower, and more recently, Firepower. Yes, the name changed quite a bit over the past few years.
Firepower added the Next-Generation Firewall (NGFW) solutions that are now pretty much required in networks of all sizes. The NGFW feature-sets add additional visibility into application networking, user traffic, content filtering, vulnerability monitoring, and much more providing the security that’s needed.
Cisco first added their NGFW solution to the Cisco ASA5500X products by adding a Firepower module (SFR) into the firewall appliance. This SFR module is essentially a hard drive that runs as a Firepower sensor. Policies are pushed to this module which directs traffic to be bounced from the ASA over to this sensor for inspection, then traffic is sent back to the ASA for processing.
In addition to offering the Cisco ASA as a firewall security solution, Cisco added a newer Firepower Threat Defense (FTD) appliance. The Cisco FTD appliance consolidates some of the ASA functionality and the NGFW features down into a single appliance. This allows for easier management of the security solutions with having one single management interface as opposed to having to manage the ASA configuration separately from the NGFW features which are typically managed from Firepower Management Center (FMC).
The Cisco FTD appliance carries most (not all) of the features that an ASA would support. One particular feature that was brought over from the ASA is remote access VPN connectivity. Some of the remote access features that were ported over from the ASA did not make it over to FTD. The most notable features that are missing from this Remote Access VPN on FTD solution as of v6.2 are:
- local user authentication
- 2-factor authentication
- ISE Posturing
- LDAP attribute mapping
- AnyConnect modules
*reference the link below for a full list of limitations
In this article, I will be providing a sample of how to configure a remote access VPN solution on Cisco FTD.
This article is going to assume that the FTD appliance is already registered, licensing is acquired, and that the appliance is being managed by FMC.
To start the remote access VPN configuration, we first need to apply the AnyConnect licensing to the FTD appliance. Navigate to System > Licenses > Smart Licenses.
Select the “Edit Licenses” button on the upper right.
Select the licensing that was purchased and move your FTD appliance into the right window to assign the license to the appliance. In this case, “AnyConnect Apex” licensing was selected, and the appliance named “FTD” appliance to the right. When complete, select “Apply” at the bottom right.
Now that the licensing has been assigned, we can continue with the building blocks required for the RA VPN connectivity. The next step would be to create all of the various objects (software package, profile, IP Pool, etc). These objects will all tie together during the RA VPN config wizard.
The first object we will create is the software package object. Navigate to Objects > Object Management > VPN > AnyConnect File
Here, we will add the VPN client software packages for the different required Operating Systems that will be used in the environment.
Select “Add AnyConnect File” at the top-right.
Enter a name, browse to the AnyConnect client package file which can be downloaded using the link below (valid Cisco contract required) and select “AnyConnect Client Image” as the file type. When complete, select the “Save” button. Repeat this process for each client type that will be connecting (Windows, Mac, Linux).
Within this same location, we will add the AnyConnect profile.
Select “Add AnyConnect File” at the top-right once again.
Enter a name, browse to the profile, select AnyConnect Client Profile from as the File Type and select “Save” when complete.
- this xml profile can be created using the Cisco VPN Profile Editor tool on a Windows machine. This Profile Editor tool can be downloaded using the same link that was provided above
We will now move on to creating the IP Pool object. This IP pool will be used as the DHCP pool for remote access clients as the client connects to the FTD appliance using AnyConnect.
In FMC, open Objects > Object Management > Address Pools > IPv4 Pools
Select “Add IPv4 Pools” at the top-right
Provide a name, enter the pool range, and subnet mask then select “Save”
We will now configure an object-group that references this VPN IP Pool
Open Objects > Object Management > Network
Select “Add Network > Add Group” at the top-right
Provide an object name then manually enter the IP subnet for the VPN Pool that was previously created. Select “Save” when complete.
An optional configuration that can be added is a split-tunnel list. Split tunnel allows for VPN connectivity to a remote network across a secure tunnel but also allows for local LAN access. There are a few security concerns with allowing the use of split-tunneling but is an option. To configure a split-tunnel list, we will create an Extended Access Control List.
Navigate to Objects > Object Management > Access List > Extended
Select “Add Extended Access List” at the top-right
Provide a name for this new Access-List.
Select “Add” at the top-right.
Enter the inside IP space object as the source address. Leaving all other options as their default, select “Add”, then “Save"
The next object that is needed is a certificate that will be referenced later.
To create a self-signed certificate, select Objects > Object Management > PKI > Cert Enrollment
Select “Add Cert Enrollment” at the top-right
Provide a name for this new certificate and a type of PKCS12, then save.
The next object to create would be for authentication.
Cisco ASA’s offer an option to authenticate Remote Access VPN’s directly against the ASA using local authentication with users created directly on the ASA. With v6.2, FTD only supports the use of external authentication using either RADIUS or LDAP authentication servers. In this lab, authentication will go against a single RADIUS server running Cisco ISE (Identity Services Engine). Of course, in a production environment, having redundant servers would be the recommended approach. In that instance, this step would be performed twice in order to configure both authentication servers.
To create the authentication server, open Objects > Object Management > RADIUS Server Group
Select “Add RADIUS Server Group” at the top-right
Provide a name (typically enter the server name here).
Select the “plus” sign to add a server
Enter the IP address of the RADIUS authentication server, along with the key and then save.
If adding a second RADIUS server, repeat the process to add the redundant server.
Once all RADIUS servers have been added, save changes for the group.
The final object that will be created will be the VPN Group Policy. This Group Policy will provide various connectivity attributes for the VPN client.
Open Objects > Object Management > VPN > Group Policy
Select “Add Group Policy” at the top-right
Provide a name for this Group Policy
Next, a DNS server is defined. General > DNS/WINS > Primary DNS Server > Add
Enter a name and the network address of the DNS server.
Also, on the General tab under Split Tunneling, select “Tunnel networks specified below” for IPv4, select the radio button next to “Extended Access List”, then in the drop-down, select the split tunnel list which was an object previously created named “SPLIT_TUNNEL”
Finally, on the Group Policy, select the AnyConnect tab, select the AnyConnect Profile object previously created, then save.
At this point, all objects are created and are now ready to run the VPN wizard.
Navigate to Devices > VPN > Remote Access > Add
Provide a name, then move the FTD appliance from the available devices into the selected device column. Then click Next.
Select AAA Only for the Authentication Method
Select the ISE object previously created as the Authentication Server
Select the VPN_POOL IP Pool
Select the ANYCONNECT object for the Group Policy
Then click Next
Check the boxes next to each client image and verify the OS selected. Then click Next.
Select the outside interface as the Interface group/Security Zone
Select the ANYCONNECT_CERT object for the Certificate Enrollment
Review the summary of the changes being made and click Finish
The next step would start the process within adding a public signed certificate that will be associated with the outside interface.
Open Devices > Certificates
At the top-right, select Add > PSCK12 File
Select the FTD device
For the Cert Enrollment, select the ANYCONNECT_CERT object
For the PKCS12 File, select the pfx certificate and enter the passphrase.
The final steps would now be to create a security policy rule as well as a NAT rule.
Select Policies > Access Control > select the Access Control Policy that is deployed to the FTD appliance.
Add a new rule
Name the new policy
Insert this policy “into Default”
On the Zones tab, add the “outside” zone as the source and “inside” as the destination zones
On the “Networks” tab, add the VPN object as the source network and rfc1918 as the destination network
Click “Add” when complete. Then Save at the top right.
For the NAT exemption rule, open Devices > NAT
Modify the existing NAT policy that’s applied to the FTD appliance and add a new rule
In the Interface Objects tab, add the inside zone as the source and the outside zone as the destination.
On the Translation tab add:
- Original Source - internal networks (RFC1918)
- Original Destination = Address / VPN_POOL
- Translated Source = Address / internet networks (RFC1918)
- Translated Destination = VPN_POOL
Select the Advanced tab and choose the “Do not proxy ARP on Destination Interface” checkbox. Then click “OK” then “Save” at the top right.
At this point, the Remote Access VPN solution has been configured and is ready to be deployed to the FTD appliance. At the top right of FMC, select “Deploy”. Choose the FTD appliance that you are enabling remote access VPN on and Deploy the policy. Deploying this policy takes time but can be monitored from the “Tasks” section next to the Deploy button in the menu bar.
When the policy has been deployed successfully, remote access VPN can be tested.
From a machine on the outside network, from the web browser, navigate to the outside IP or URL of the FTD appliance. You should be prompted to enter user credentials. Enter the username and password and select “Logon”
Once successfully logged in, you may be prompted to install the AnyConnect client. If the client is already installed, the VPN will automatically connect. When connected, the AnyConnect client icon on the PC’s task bar will appear similar as shown below.
To verify connectivity from within FTD, similar to an ASA, you can check status using the “show vpn-sessiondb detail anyconnect” command.
To disconnect from the VPN, right-click on the AnyConnect client and select “Disconnect”
As you can see, configuring a remote access VPN on FTD does have it’s limitations and does take a bit of configuration to get working but is a rock solid solution.
Important caution: Any commands shown in the following post are for demonstration purposes only and should always be modified accordingly and used carefully. Do not run any of the procedures below without thorough testing and if you do not fully understand the consequences. Please contact a representative at H.A. Inc. if you need assistance with components of your infrastructure as it relates to this posting.