Remote Access

Version:

Location in GUI: Secure Connections » Remote Access VPN

Diagram

Classes

vpns (fmc.domains)

Name	Type	Constraint	Mandatory	Default Value
remote_access	List	`[remote_access]`	No

remote_access (fmc.domains.vpns)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
description	String	max: `255`	No
protocol_ssl	Boolean	`true`, `false`	No	`true`
protocol_ipsec_ikev2	Boolean	`true`, `false`	No	`true`
local_realm	String		No
access_interfaces	List	`[access_interfaces]`	Yes
allow_users_to_select_connection_profile	Boolean	`true`, `false`	No	`true`
web_access_port	Integer	min: `1`, max: `65535`	No	`443`
dtls_port	Integer	min: `1`, max: `65535`	No	`443`
ssl_global_identity_certificate	String		No
ipsec_ikev2_identity_certificate	String		No
service_access	String		No
bypass_access_control_policy_for_decrypted_traffic	Boolean	`true`, `false`	No	`false`
secure_client_images	List	`[secure_client_images]`	No
group_policies	List	String	No
ipsec_ikev2_policies	List	String	No
secure_client_customizations	Class	`[secure_client_customizations]`	No
address_assignment_policy	Class	`[address_assignment_policy]`	No
certificate_map	Class	`[certificate_map]`	No
connection_profiles	List	`[connection_profiles]`	No
ldap_attribute_maps	List	`[ldap_attribute_maps]`	No
load_balancing	Class	`[load_balancing]`	No
ipsec_crypto_maps	List	`[ipsec_crypto_maps]`	No
ipsec_ike_parameters	Class	`[ipsec_ike_parameters]`	No

access_interfaces (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory
name	String		Yes
protocol_ssl	Boolean	`true`, `false`	No
protocol_ipsec_ikev2	Boolean	`true`, `false`	No
protocol_ssl_dtls	Boolean	`true`, `false`	No
interface_specific_certificate	String		No

secure_client_images (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
operating_system	Choice	`WINDOWS`, `MAC`, `LINUX`	Yes

secure_client_customizations (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory
gui_and_text_messages	List	String	No
icons_and_images	List	String	No
scripts	List	String	No
binaries	List	String	No
custom_installer_transforms	List	String	No
localized_installer_transforms	List	String	No

address_assignment_policy (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory
ipv4_use_authorization_server	Boolean	`true`, `false`	No
ipv4_use_dhcp	Boolean	`true`, `false`	No
ipv4_use_internal_address_pool	Boolean	`true`, `false`	No
ipv4_internal_address_pool_reuse_interval	Integer	min: `0`, max: `480`	No
ipv6_use_authorization_server	Boolean	`true`, `false`	No
ipv6_use_internal_address_pool	Boolean	`true`, `false`	No

certificate_map (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory	Default Value
use_alias_url	Boolean	`true`, `false`	No
certificate_to_connection_profile_mappings	List	`[certificate_to_connection_profile_mappings]`	No

connection_profiles (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory
name	String		Yes
group_policy	String		Yes
ipv4_address_pools	List	String	No
ipv6_address_pools	List	String	No
dhcp_servers	List	String	No
authentication_method	Choice	`AAA_ONLY`, `SAML`, `CLIENT_CERTIFICATE_ONLY`, `AAA_AND_CLIENT_CERTIFICATE`, `SAML_AND_CLIENT_CERTIFICATE`	Yes
multiple_certificate_authentication	Boolean	`true`, `false`	No
primary_authentication	Class	`[primary_authentication]`	Yes
secondary_authentication	Class	`[secondary_authentication]`	No
saml_and_certificate_username_must_match	Boolean	`true`, `false`	No
saml_use_external_browser	Boolean	`true`, `false`	No
authorization_server	String		No
allow_connection_only_if_user_exists_in_authorization_database	Boolean	`true`, `false`	No
accounting_server	String		No
strip_realm_from_username	Boolean	`true`, `false`	No
strip_group_from_username	Boolean	`true`, `false`	No
password_management_notify_user_on_password_expiry_day	Boolean	`true`, `false`	No
password_management_advance_password_expiration_notification	Integer	min: `1`, max: `180`	No
alias_names	List	`[alias_names]`	No
alias_urls	List	`[alias_urls]`	No

ldap_attribute_maps (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory	Default Value
ad_ldap_realm	String		Yes
attribute_maps	List	`[attribute_maps]`	Yes

load_balancing (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory	Default Value
ipv4_group_address	IP		Yes
ipv6_group_address	IP		No
interface	String		Yes
port	Integer	min: `1`, max: `65535`	No	`9023`
ipsec_encryption_key	String	min: `4`, max: `16`	No
send_fqdn_to_peer_devices_instead_of_ip	Boolean	`true`, `false`	No	`false`
ikev2_redirect_phase	Choice	`DURING_SA_AUTHENTICATION`, `DURING_SA_INITIALIZATION`	No	`DURING_SA_AUTHENTICATION`

ipsec_crypto_maps (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory	Default Value
interface	String		Yes
ikev2_ipsec_proposals	List	String	Yes
reverse_route_injection	Boolean	`true`, `false`	No	`true`
client_services_port	Integer	min: `1`, max: `65535`	No	`443`
perfect_forward_secrecy_modulus_group	Choice	`1`, `2`, `5`, `14`, `15`, `16`, `19`, `20`, `21`, `24`, `31`	No
lifetime_duration	Integer	min: `120`, max: `2147483647`	No
lifetime_size	Integer	min: `10`, max: `2147483647`	No	`4608000`
validate_incoming_icmp_error_messages	Boolean	`true`, `false`	No	`false`
do_not_fragment_policy	Choice	`SET`, `COPY`, `CLEAR`, `NONE`	No	`NONE`
tfc_burst_bytes	Integer	min: `0`, max: `16`	No
tfc_payload_bytes	Integer	min: `0`, max: `1024`	No
tfc_timeout	Integer	min: `0`, max: `60`	No

ipsec_ike_parameters (fmc.domains.vpns.remote_access)

Name	Type	Constraint	Mandatory	Default Value
ikev2_identity_sent_to_peer	Choice	`IP_ADDRESS`, `HOST_NAME`, `AUTO_OR_DN`	No	`AUTO_OR_DN`
ikev2_notification_on_tunnel_disconnect	Boolean	`true`, `false`	No	`false`
ikev2_do_not_reboot_until_all_sessions_are_terminated	Boolean	`true`, `false`	No	`false`
ikev2_cookie_challenge	Choice	`CUSTOM`, `ALWAYS`, `NEVER`	No	`CUSTOM`
ikev2_threshold_to_challenge_incoming_cookies	Integer	min: `1`, max: `100`	No	`50`
ikev2_number_of_sas_allowed_in_negotiation	Integer	min: `1`, max: `100`	No	`100`
ikev2_maximum_number_of_sas_allowed	Integer		No	`-1`
ipsec_path_maximum_transmission_unit_aging_reset_interval	Integer	min: `10`, max: `30`	No
nat_keepalive_message_traversal_interval	Integer	min: `10`, max: `3600`	No	`20`

certificate_to_connection_profile_mappings (fmc.domains.vpns.remote_access.certificate_map)

Name	Type	Constraint	Mandatory	Default Value
certificate_map	String		Yes
connection_profile	String		Yes

primary_authentication (fmc.domains.vpns.remote_access.connection_profiles)

Name	Type	Constraint	Mandatory
server	Any	Choice[`LOCAL`] or String	Yes
fallback_to_local	Boolean	`true`, `false`	No
prefill_username_from_certificate_map_primary_field	Choice	`CN_COMMMON_NAME`, `C_COUNTRY`, `DNQ_DN_QUALIFIER`, `EA_EMAIL_ADDRESS`, `GENQ_GENERATIONAL_QUALIFIER`, `GN_GIVEN_NAME`, `I_INITIAL`, `L_LOCALITY`, `N_NAME`, `O_ORGANISATION`, `OU_ORGANISATIONAL_UNIT`, `SER_SERIAL_NUMBER`, `SN_SURNAME`, `SP_STATE_PROVINCE`, `T_TITLE`, `UID_USER_ID`, `UPN_USER_PRINCIPAL_NAME`, `NONE`	No
prefill_username_from_certificate_map_secondary_field	Choice	`CN_COMMMON_NAME`, `C_COUNTRY`, `DNQ_DN_QUALIFIER`, `EA_EMAIL_ADDRESS`, `GENQ_GENERATIONAL_QUALIFIER`, `GN_GIVEN_NAME`, `I_INITIAL`, `L_LOCALITY`, `N_NAME`, `O_ORGANISATION`, `OU_ORGANISATIONAL_UNIT`, `SER_SERIAL_NUMBER`, `SN_SURNAME`, `SP_STATE_PROVINCE`, `T_TITLE`, `UID_USER_ID`, `UPN_USER_PRINCIPAL_NAME`, `NONE`	No
prefill_username_from_certificate_map_entire_dn	Boolean	`true`, `false`	No
hide_username_in_login_window	Boolean	`true`, `false`	No

secondary_authentication (fmc.domains.vpns.remote_access.connection_profiles)

Name	Type	Constraint	Mandatory
server	Any	Choice[`LOCAL`] or String	Yes
fallback_to_local	Boolean	`true`, `false`	No
prompt_for_username	Boolean	`true`, `false`	No
use_primary_authentication_username	Boolean	`true`, `false`	No
use_secondary_authentication_username_for_reporting	Boolean	`true`, `false`	No

alias_names (fmc.domains.vpns.remote_access.connection_profiles)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
enabled	Boolean	`true`, `false`	No

alias_urls (fmc.domains.vpns.remote_access.connection_profiles)

Name	Type	Constraint	Mandatory	Default Value
url_object	String		Yes
enabled	Boolean	`true`, `false`	No

attribute_maps (fmc.domains.vpns.remote_access.ldap_attribute_maps)

Name	Type	Constraint	Mandatory
ldap_attribute_name	String		Yes
cisco_attribute_name	String		Yes
value_maps	List	`[value_maps]`	No

value_maps (fmc.domains.vpns.remote_access.ldap_attribute_maps.attribute_maps)

Name	Type	Constraint	Mandatory	Default Value
ldap_attribute_value	String		Yes
cisco_attribute_value	String		Yes

Examples

Pre-requisites:

existing:
  fmc:
    domains:
      - name: Global
        objects:
          group_policies:
            - name: DfltGrpPolicy
fmc:
  domains:
    - name: Global
      objects:

        hosts:
          - name: MyHostName1
            ip: 10.10.10.1

        security_zones:
          - name: MySecurityZoneName1

        interface_groups:
          - name: MyInterfaceGroupName1

        certificate_enrollments:
          - name: MyCertificateEnrollmentName1
            description: PKCS12 certificate enrollment example
            enrollment_type: PKCS12
            pkcs12:
              certificate_file: files/cert.p12
              passphrase: cisco123

        secure_client_images:
          - name: MySecureClientImageName1
            description: My Secure Client Image Description 1
            path: files/cisco-secure-client-win-arm64-5.1.9.113-webdeploy-k9.pkg

        ikev2_policies:
          - name: MyIKEv2Policy1
            dh_groups:
              - 14
              - 24
            encryption_algorithms:
              - AES-256
              - AES-GCM-256
            integrity_algorithms:
              - SHA-256
              - SHA-384
            lifetime: 28800
            priority: 1
            prf_algorithms:
              - SHA-256

        radius_server_groups:
          - name: MyRadiusServerGroupName1
            description: "Radius Server Group Description 1"
            dynamic_authorization_port: 1700
            radius_servers:
              - hostname: "radius1.example.com"
                key: SecretKey1
              - hostname: "radius2.example.com"
                key: SecretKey2
                interface: MySecurityZoneName1
              - hostname: "radius3.example.com"
                key: SecretKey3
                interface: MyInterfaceGroupName1

Site-to-site VPN:

fmc:
  domains:
    - name: Global
      vpns:
        remote_access:
          - name: MyRemoteAccessVPNName1
            description: My remote access VPN description
            protocol_ssl: true
            protocol_ipsec_ikev2: true
            access_interfaces:
              - name: MySecurityZoneName1
                protocol_ssl: true
                protocol_ipsec_ikev2: true
                protocol_ssl_dtls: true
            ssl_global_identity_certificate: MyCertificateEnrollmentName1
            ipsec_ikev2_identity_certificate: MyCertificateEnrollmentName1
            secure_client_images:
              - name: MySecureClientImageName1
                operating_system: WINDOWS
            group_policies:
              - DfltGrpPolicy
            ipsec_ikev2_policies:
              - MyIKEv2Policy1
            address_assignment_policy:
              ipv4_use_dhcp: true
            connection_profiles:
              - name: MyConnectionProfileName2
                group_policy: MyGroupPolicyName1
                dhcp_servers:
                  - MyHostName1
                authentication_method: AAA_ONLY
                primary_authentication:
                  server: MyRadiusServerGroupName1
            load_balancing:
              ipv4_group_address: 10.20.1.1
              interface: MyInterfaceGroupName1
              port: 4445
            ipsec_crypto_maps:
              - interface: MySecurityZoneName1
                ikev2_ipsec_proposals:
                  - MyIKEv2IPSecProposal1
                lifetime_duration: 25500
            ipsec_ike_parameters:
              nat_keepalive_message_traversal_interval: 30