Configure Access Interfaces for Remote Access VPN

The Access Interface table lists the interface groups and security zones that contain the device interfaces. These are configured for remote access SSL or IPsec IKEv2 VPN connections. The table displays the name of each interface group or security-zone, the interface trustpoints used by the interface, and whether Datagram Transport Layer Security (DTLS) is enabled.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Click Access Interface.

Step 4

To add an access interface, select Add and specify values for the following in the Add Access Interface window:

  1. Access Interface—Select the interface group or security zone to which the interface belongs.

    The interface group or security zone must be a Routed type. Other interface types are not supported for Remote Access VPN connectivity.

  2. Associate the Protocol object with the access interface by selecting the following options:

    • Enable IPSet-IKEv2—Select this option to enable IKEv2 settings.

    • Enable SSL—Select this option to enable SSL settings.

      • Select Enable Datagram Transport Layer Security.

        When selected, it enables Datagram Transport Layer Security (DTLS) on the interface and allows an AnyConnect VPN client to establish an SSL VPN connection using two simultaneous tunnels—an SSL tunnel and a DTLS tunnel.

        Enabling DTLS avoids the latency and bandwidth problems associated with certain SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

        To configure SSL settings, and TLS and DTLS versions, see About SSL Settings.

        To configure SSL settings for the AnyConnect VPN client, see Group Policy AnyConnect Options.

      • Select the Configure Interface Specific Identity Certificate check box and select Interface Identity Certificate from the drop-down list.

        If you do not select the Interface Identity Certificate, the Trustpoint will be used by default.

        If you do not select the Interface Identity Certificate or Trustpoint, the SSL Global Identity Certificate will be used by default.

  3. Click OK to save the changes.

Step 5

Select the following under Access Settings:

  • Allow Users to select connection profile while logging in—If you have multiple connection profiles, selecting this option allows the user to select the correct connection profile during login. You must select this option for IPsec-IKEv2 VPNs.

Step 6

Use the following options to configure SSL Settings:

  • Web Access Port Number—The port to use for VPN sessions. The default port is 443.

  • DTLS Port Number—The UDP port to use for DTLS connections. The default port is 443.

  • SSL Global Identity Certificate— The selected SSL Global Identity Certificate will be used for all the associated interfaces if the Interface Specific Identity Certificate is not provided.

Step 7

For IPsec-IKEv2 Settings, select the IKEv2 Identity Certificate from the list or add an identity certificate.

Step 8

Under the Access Control for VPN Traffic section, select the following option if you want to bypass access control policy:

  • Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) — Decrypted traffic is subjected to Access Control Policy inspection by default. Enabling the Bypass Access Control policy for decrypted traffic option bypasses the ACL inspection, but VPN Filter ACL and authorization ACL downloaded from AAA server are still applied to VPN traffic.

    Note

    If you select this option, you need not update the access control policy for remote access VPN as specified in Update the Access Control Policy on the Firepower Threat Defense Device.

Step 9

Click Save to save the access interface changes.