Configure Access Interfaces for Remote Access VPN

The Access Interface table lists the interface groups and security zones that contain the device interfaces. These are configured for remote access SSL or IPsec IKEv2 VPN connections. The table displays the name of each interface group or security-zone, the interface trustpoints used by the interface, and whether Datagram Transport Layer Security (DTLS) is enabled.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Click the Access Interface tab.

Step 4

To add an access interface, click + and specify values for the following in the Add Access Interface dialog box:

  1. Access Interface—Select the interface group or security zone to which the interface belongs.

    The interface group or security zone must be a Routed type. Other interface types are not supported for remote access VPN connectivity.

  2. Associate the Protocol object with the access interface by selecting the following options:

    • Enable IPSet-IKEv2—Select this option to enable IKEv2 settings.

    • Enable SSL—Select this option to enable SSL settings.

      • Select Enable Datagram Transport Layer Security.

        When selected, it enables Datagram Transport Layer Security (DTLS) on the interface and allows the AnyConnect VPN module of Cisco Secure Client to establish an SSL VPN connection using two simultaneous tunnels—an SSL tunnel and a DTLS tunnel.

        Enabling DTLS avoids the latency and bandwidth problems associated with certain SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

        To configure SSL settings, and TLS and DTLS versions, see About SSL Settings.

        To configure SSL settings for the AnyConnect VPN module of Cisco Secure Client, see Group Policy Secure Client Options.

      • Select the Configure Interface Specific Identity Certificate check box and select Interface Identity Certificate from the drop-down list.

        If you do not select the Interface Identity Certificate, the Trustpoint will be used by default.

        If you do not select the Interface Identity Certificate or Trustpoint, the SSL Global Identity Certificate will be used by default.

  3. Click OK to save the changes.

Step 5

Select the following under Access Settings:

  • Allow Users to select connection profile while logging in—If you have multiple connection profiles, check this check box to allow user to select the correct connection profile during login. You must select this option for IPsec-IKEv2 VPNs.

  • Enable HTTP-only VPN Cookies—Check this check box to enable HTTP-only VPN cookies.

Step 6

Use the following options to configure SSL Settings:

  • Web Access Port Number—The port to use for VPN sessions. The default port is 443.

  • DTLS Port Number—The UDP port to use for DTLS connections. The default port is 443.

  • SSL Global Identity Certificate— The selected SSL Global Identity Certificate will be used for all the associated interfaces if the Interface Specific Identity Certificate is not provided.

Step 7

For IPsec-IKEv2 Settings, select the IKEv2 Identity Certificate from the list or add an identity certificate.

Step 8

Configure Service Access Control. Choose a service access object from the Service Access Object drop-down list or click + to create a new object.

You can use a service access object to control remote clients' access to VPN on threat defense devices with Version 7.7 or later. This object provides geolocation-based access control to clients before VPN authentication. By default, there is no access control for RA VPN, and remote clients can connect from any geolocation unless specified by a service access object. For more information, see Manage VPN Access of Remote Users Based on Geolocationand Configure a Service Access Object.

Step 9

Under the Access Control for VPN Traffic section, select the following option if you want to bypass access control policy:

  • Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) — Decrypted traffic is subjected to Access Control Policy inspection by default. Enabling the Bypass Access Control policy for decrypted traffic option bypasses the ACL inspection, but VPN Filter ACL and authorization ACL downloaded from AAA server are still applied to VPN traffic.

    Note

    If you select this option, you need not update the access control policy for remote access VPN as specified in Update the Access Control Policy on the Secure Firewall Threat Defense Device.

Step 10

Click Save to save the access interface changes.