Update the Access Control Policy on the Firepower Threat Defense Device

Before deploying the remote access VPN policy, you must update the access control policy on the targeted Firepower Threat Defense device with a rule that allows VPN traffic. The rule must allow all traffic coming in from the outside interface, with source as the defined VPN pool networks and destination as the corporate network.

Note

If you have selected the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) option on the Access Interface tab, you need not update the access control policy for remote access VPN.

Enable or disable the option for all your VPN connections. If you disable this option, make sure that the traffic is allowed by the access control policy or pre-filter policy.

For more information, see Configure Access Interfaces for Remote Access VPN.

Before you begin

Complete the remote access VPN policy configuration using the Remote Access VPN Policy wizard.

Procedure


Step 1

On your Cisco Defense Orchestrator web interface, choose Policies > Access Control.

Step 2

Select the access control policy assigned to the target devices where the remote access VPN policy will be deployed and click Edit.

Step 3

Click Add Rule to add a new rule.

Step 4

Specify the Name for the rule and select Enabled.

Step 5

Select the Action, Allow or Trust.

Step 6

Select the following on the Zones tab:

  1. Select the outside zone from Available Zones and click Add to Source.

  2. Select the inside zone from Available Zones and click Add to Destination.

Step 7

Select the following on the Networks tab:

  1. Select the inside network (inside interface and/or a corporate network) from Available networks and click Add to Destination.

  2. Select the VPN address pool network from Available Networks and click Add to Source Networks.

Step 8

Configure other required access control rule settings and click Add.

Step 9

Save the rule and access control policy.