Create a New Remote Access VPN Policy

You must proceed through the entire wizard to create a new policy; the policy is not saved if you cancel before completing the wizard.

The Firepower Threat Defense devices selected here will function as your remote access VPN gateways for the VPN client users. You can select the devices from the list or add a new device.

You can select Firepower Threat Defense devices when you create a remote access VPN policy or change them later. See Setting Target Devices for a Remote Access VPN Policy.

You can select SSL or IPSec-IKEv2, or both the VPN protocols. Firepower Threat Defense supports both the protocols to establish secure connections over a public network through VPN tunnels.

Note	Firepower Threat Defense does not support IPSec tunnels with NULL encryption. If you have selected IPSec-IKEv2, make sure that you do not choose NULL encryption for IPSec IKEv2 proposal. See Configure IKEv2 IPsec Proposal Objects.

For SSL settings, see Configure SSL Settings.

A connection profile specifies a set of parameters that define how the remote users connect to the VPN device. The parameters include settings and attributes for authentication, address assignments to VPN clients, and group policies. Firepower Threat Defense device provides a default connection profile named DefaultWEBVPNGroup when you configure a remote access VPN policy.

For more information, see Configure Connection Profile Settings.

For information about configuring,

• AAA settings, see Configure AAA Settings for Remote Access VPN

• LDAP attribute maps, see Configuring LDAP Attribute Mapping

• SAML 2.0 single sign-on authentication, see Configuring a SAML Single Sign-on Authentication

A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience for VPN users. You configure attributes such as user authorization profile, IP addresses, AnyConnect settings, VLAN mapping, and user session settings and so on using the group policy. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile.

For more information, see Configuring Group Policies.

The Cisco AnyConnect Secure Mobility client provides secure SSL or IPSec (IKEv2) connections to the Firepower Threat Defense device for remote users with full VPN profiling to corporate resources. After the remote access VPN policy is deployed on the Firepower Threat Defense device, VPN users can enter the IP address of the configured device interface in their browser to download and install the AnyConnect client.

For information about configuring AnyConnect client profile and client modules, see Group Policy AnyConnect Options.

Interface objects segment your network to help you manage and classify traffic flow. A security zone object simply groups interfaces. These groups may span multiple devices; you can also configure multiple zones interface objects on a single device. There are two types of interface objects:

• Security zones—An interface can belong to only one security zone.

• Interface groups—An interface can belong to multiple interface groups (and to one security zone).

The Summary page displays all the remote access VPN settings you have configured so far and provides links to the additional configurations that need to be performed before deploying the remote access VPN policy on the selected devices.

Click Back to make changes to the configuration, if required.