Prerequisites for Configuring Remote Access VPN

Deploy Firepower Threat Defense devices and configure Cisco Defense Orchestrator to manage the device with required licenses with export-controlled features enabled. For more information, see VPN Licensing.

Configure the certificate enrollment object that is used to obtain the identity certificate for each Firepower Threat Defense device that act as a remote access VPN gateway.

Configure the RADIUS server group object and any AD or LDAP realms being used by remote access VPN policies.

Ensure that the AAA Server is reachable from the Firepower Threat Defense device for the remote access VPN configuration to work. Configure routing (at Devices > Device Management > Edit Device > Routing) to ensure connectivity to the AAA servers.

For remote access VPN double authentication, ensure that both the primary and secondary authentication servers are reachable from the Firepower Threat Defense device for the double authentication configuration to work.

Purchase and enable one of the following Cisco AnyConnect licenses: AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only to enable the FTD remote access VPN.

Download the latest AnyConnect image files from Cisco Software Download Center.

On your Cisco Defense Orchestrator web interface, go to Objects > Object Management > VPN > AnyConnect File and add the new AnyConnect client image files.

Create a security zone or interface group that contains the network interfaces that users will access for VPN connections. See Interface.

Download the AnyConnect Profile Editor from Cisco Software Download Center to create an AnyConnect client profile. You can use the standalone profile editor to create a new or modify an existing AnyConnect profile.