Firepower Threat Defense Remote Access VPN Overview

Firepower Threat Defense provides secure gateway capabilities that support remote access SSL and IPsec-IKEv2 VPNs. The full tunnel client, AnyConnect Secure Mobility Client, provides secure SSL and IPsec-IKEv2 connections to the security gateway for remote users. AnyConnect is the only client supported on endpoint devices for remote VPN connectivity to Firepower Threat Defense devices. The client gives remote users the benefits of an SSL or IPsec-IKEv2 VPN client without the need for network administrators to install and configure clients on remote computers. The AnyConnect mobile client for Windows, Mac, and Linux is deployed from the secure gateway upon connectivity. The AnyConnect apps for Apple iOS and Android devices are installed from the platform app store.

Use the Remote Access VPN Policy wizard in the Cisco Defense Orchestrator to quickly and easily set up SSL and IPsec-IKEv2 remote access VPNs with basic capabilities. Then, enhance the policy configuration if desired and deploy it to your Firepower Threat Defense secure gateway devices.

You can configure the following settings using the remote access VPN policy:

• Two-Factor Authentication

• Secondary Authentication

• Configure LDAP or Active Directory for Authorization

• Manage Password Changes over VPN Sessions

• Send Accounting Records to the RADIUS Server

• Override the Selection of Group Policy or Other Attributes by the Authorization Server

  • Deny VPN Access to a User Group

  • Restrict Connection Profile Selection for a User Group

You can use the following examples to allocate limited bandwidth to VPN users and to use VPN identify for user-id based access control rules:

• How to Limit AnyConnect Bandwidth Per User

• How to Use VPN Identity for User-id Based Access Control Rules