TTechclick ⚡ XP 0% All lessons
Cisco · Secure Firewall · FTD VPNInteractive · L1 / L2 / L3

VPN on Cisco Secure Firewall (FTD) — Site-to-Site, VTI & Remote Access

Cisco Secure Firewall does VPN in the LINA data plane: site-to-site IKEv2/IPsec — policy-based or route-based over a VTI — and Remote Access with Cisco Secure Client. This lesson maps the topologies, walks the IKE phases, breaks down the crypto and RA VPN building blocks, and shows the NAT-exempt rule that keeps tunnel traffic from being PATed.

📅 2026-06-18 · ⏱ 15 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to VPN on Cisco Secure Firewall Threat Defense (2026): site-to-site IKEv2/IPsec — policy-based (crypto-map/ACL) vs route-based with a VTI — FMC topologies (point-to-point, hub-and-spoke, full mesh), the IKE SA (phase 1) and IPsec SA (phase 2) phases, crypto building blocks, and Remote Access VPN with Cisco Secure Client (formerly AnyConnect) over SSL/TLS or IKEv2 with connection profiles, group policies, address pools, AAA, SAML and the NAT-exempt rule VPN traffic needs.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

S2S basics

IKEv2 IPsec — policy-based vs route-based VTI.

 2

Topologies & phases

P2P, hub-spoke, mesh & IKE phase 1/2.

 3

Remote Access

Cisco Secure Client, profiles, protocols.

 4

AAA & NAT-exempt

Certs, SAML & keeping VPN out of PAT.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What selects the interesting traffic in a route-based VPN?

Answered in S2S basics.

2. What does IKE phase 1 (the IKE SA) actually do?

Answered in Topologies & phases.

3. What is the new name for the AnyConnect remote-access client?

Answered in Remote Access.

Most engineers think…

Most people think 'a VPN is a VPN' and configure every tunnel as a crypto-map with an ACL. That works for a couple of peers, then collapses the moment you need dynamic routing, many subnets or a clean remote-access setup.

On Cisco Secure Firewall, VPN runs in the LINA data plane and comes in distinct shapes. Site-to-site is either policy-based (an ACL picks the interesting traffic) or route-based using a VTI where you simply route into the tunnel. Tunnels build in two phases — the IKE SA authenticates peers, the IPsec SA protects data. Remote Access uses Cisco Secure Client (the rebranded AnyConnect) with connection profiles, group policies, address pools and AAA. And every one of them needs a NAT-exempt rule so the traffic is not PATed out of the tunnel. Knowing those shapes is the difference between 'the tunnel is up' and 'the tunnel actually carries traffic'.

① Site-to-site: IKEv2/IPsec — policy-based vs route-based (VTI)

Site-to-site VPN joins two networks with an encrypted IKEv2/IPsec tunnel, and on FTD it comes in two flavours.

Policy-based (the classic crypto-map style) selects what to encrypt with a crypto ACL — the 'interesting traffic'. Anything matching the ACL goes in the tunnel; anything else does not. It is precise but rigid, and it does not play nicely with dynamic routing.

Route-based with a VTI

Route-based VPN uses a VTI (Virtual Tunnel Interface). Instead of an ACL, you just route traffic into the tunnel interface — whatever you send to the VTI is encrypted. This is far cleaner for many subnets, supports dynamic routing protocols (BGP/OSPF) over the tunnel, and is the modern default for new designs.

Figure 1 — Policy-based vs route-based (VTI) S2S VPN
Policy-based picks traffic with an ACL; route-based routes traffic into a VTI and supports dynamic routing.Policy-based vs route-based (VTI) S2S VPNPolicy-based (crypto ACL)Crypto ACL selects interestingRigid — list every subnet pairNo dynamic routing over tunnelClassic crypto-map styleRoute-based (VTI)Route traffic into the tunnelClean for many subnetsSupports BGP / OSPF over tunnelModern default for new designs
Policy-based picks traffic with an ACL; route-based routes traffic into a VTI and supports dynamic routing.
Quick check · Q1 of 10 · Understand

In a route-based (VTI) site-to-site VPN, what decides which traffic is encrypted?

Correct: b. Route-based VPN uses a VTI: you route traffic into the tunnel interface and whatever is routed there is encrypted. The crypto-ACL approach is policy-based VPN, the other style.
👉 So far: Site-to-site VPN on FTD is IKEv2/IPsec, either policy-based (a crypto ACL selects interesting traffic) or route-based using a VTI (route traffic in; it supports dynamic routing).

② S2S topologies in FMC & the IKE phases

In FMC you build site-to-site VPN as a topology, and there are three shapes. Point-to-point connects two peers directly. Hub-and-spoke has every branch (spoke) tunnel back to a central hub, which is how most enterprises run it. Full mesh connects every site to every other site — most resilient, most tunnels to manage.

How a tunnel comes up — two phases

Every IPsec tunnel builds in two phases. IKE SA (phase 1) authenticates the peers (pre-shared key or certificate) and builds a secure, encrypted management channel between them. IPsec SA (phase 2) then negotiates, over that protected channel, the keys and parameters that actually protect the data. Phase 1 builds the secure room; phase 2 carries the cargo. If phase 1 fails it is usually auth or IKE policy mismatch; if phase 2 fails it is usually a transform/proposal or interesting-traffic mismatch.

Figure 2 — FMC site-to-site topologies
FMC builds S2S as a topology — point-to-point, hub-and-spoke or full mesh.FMC site-to-site topologiesS2S topologybuilt in FMCPoint-to-pointHub-and-spokeFull meshIKEv2 / IPsecPSK or cert auth
FMC builds S2S as a topology — point-to-point, hub-and-spoke or full mesh.
Figure 3 — How an IPsec tunnel comes up
Phase 1 authenticates the peers and builds the secure channel; phase 2 negotiates the keys that protect the data.How an IPsec tunnel comes upIKE SAphase 1 — authenticateSecure channelencrypted mgmt pathIPsec SAphase 2 — protect dataTunnel uptraffic encrypted(ESP)
Phase 1 authenticates the peers and builds the secure channel; phase 2 negotiates the keys that protect the data.
🧷
Policy-based VPN
tap to flip

A crypto ACL selects the interesting traffic. Precise but rigid, no dynamic routing — the classic crypto-map style.

🛣️
Route-based VTI
tap to flip

A Virtual Tunnel Interface you route traffic into. Whatever you route to it is encrypted, and it supports BGP/OSPF over the tunnel.

🤝
IKE phases
tap to flip

Phase 1 (IKE SA) authenticates the peers and builds the secure channel; phase 2 (IPsec SA) negotiates the keys that protect the data.

💻
Cisco Secure Client
tap to flip

The rebranded AnyConnect. The RA VPN client connects over SSL/TLS or IKEv2 to a connection profile and gets a group policy and an address pool IP.

Name the two phases cleanly

In an interview, say it crisply: phase 1 (the IKE SA) authenticates the peers and builds the secure channel; phase 2 (the IPsec SA) negotiates the keys that protect the data. Phase-1 failures are usually auth or IKE policy mismatches; phase-2 failures are usually transform/proposal or interesting-traffic mismatches. Knowing which phase fails tells you where to look.

Quick check · Q2 of 10 · Remember

What does IKE phase 1 (the IKE SA) accomplish?

Correct: c. Phase 1 / the IKE SA authenticates the peers (PSK or certificate) and builds the secure, encrypted channel. Phase 2 / the IPsec SA then negotiates the keys that protect the actual data.
👉 So far: FMC topologies: point-to-point, hub-and-spoke, full mesh. Tunnels build in two phases: IKE SA (phase 1) authenticates and builds the channel, IPsec SA (phase 2) protects the data.

③ Remote Access VPN with Cisco Secure Client

Remote Access VPN (RA VPN) brings individual users in. The client is Cisco Secure Client — the rebranded AnyConnect — and it connects over SSL/TLS or IKEv2.

On the FTD side you assemble RA VPN from a few layers. A connection profile (tunnel-group) is what a user actually connects to — it ties together the authentication method and the policies. A group policy defines what the connected session gets — split tunnelling, DNS, timeouts, allowed protocols. An address pool hands the remote user an inside IP for the duration of the session. The client downloads its config, authenticates, gets an address and is on the network.

The interview line: connection profile = what you connect to, group policy = what you get, address pool = the IP you are given.

Figure 4 — RA VPN config layers
Remote Access is assembled in layers — what you connect to, what you get, the IP you are given, and how you authenticate.RA VPN config layersConnection profilewhat the user connects toGroup policysplit tunnel, DNS, timeoutsAddress poolinside IP for the sessionAAARADIUS/ISE, LDAP, SAML
Remote Access is assembled in layers — what you connect to, what you get, the IP you are given, and how you authenticate.
Confusing connection profile with group policy

The connection profile (tunnel-group) is WHAT the user connects to and how they authenticate; the group policy is WHAT the session gets — split tunnel, DNS, timeouts. Mixing them up is the classic RA VPN slip. Profile = the door; group policy = the room you walk into; address pool = the IP badge you are handed.

▶ Watch a remote worker connect by RA VPN — then break it

How a Cisco Secure Client session is built end-to-end, and the classic failure when the NAT-exempt rule is missing. Press Play for the healthy path, then Break it.

① ConnectA remote worker launches Cisco Secure Client and connects to the FTD's RA VPN connection profile over TLS.
② Authenticate (AAA)FTD forwards credentials to AAA — RADIUS to Cisco ISE — which authenticates the user (and can enforce MFA).
③ Assign IP + tunnel upThe group policy applies and an IP is assigned from the address pool; the IPsec/TLS tunnel is fully established.
④ Reach internal appThe user's traffic to the internal subnet is NAT-exempt, stays in the tunnel and reaches the internal application. Done.
Press Play to step through the healthy RA VPN connection. Then press Break it.
Quick check · Q3 of 10 · Remember

What is the current name of the AnyConnect remote-access client?

Correct: a. Cisco rebranded AnyConnect to Cisco Secure Client. It is the RA VPN client and connects over SSL/TLS or IKEv2.
👉 So far: RA VPN uses Cisco Secure Client (formerly AnyConnect) over SSL/TLS or IKEv2. Connection profile = what you connect to, group policy = what you get, address pool = the IP you are given.

④ AAA, certificates, SAML & NAT-exempt for VPN

Authentication for RA VPN runs through AAA. Common back-ends: RADIUS (often to Cisco ISE) for authentication, MFA and authorization; LDAP/Active Directory for directory auth; and SAML for SSO to a cloud identity provider. You can also use certificate authentication, and combine factors. Beyond auth, posture / DAP (Dynamic Access Policy) can check the device's health and adjust what the session is allowed to do.

The rule everyone forgets

VPN-interesting traffic must reach the tunnel with its real source IP. If a broad dynamic PAT rule catches it first, it is translated and never enters the tunnel. The fix — shared with the NAT lesson — is a NAT-exempt rule for the pool ↔ internal subnets, placed in NAT Section 1, above the PAT rule.

Figure 5 — A remote worker connects via Secure Client
Client connects, AAA authenticates, an IP is assigned, the tunnel comes up and the user reaches the internal app.A remote worker connects via Secure ClientSecure Clientconnect over TLS/IKEv2AAARADIUS / ISE authAssign IPfrom address poolTunnel upsession establishedReach appneeds NAT-exempt
Client connects, AAA authenticates, an IP is assigned, the tunnel comes up and the user reaches the internal app.

Sneha at a Chennai SaaS firm faces this

Remote staff connect with Cisco Secure Client, get an IP from the pool and the tunnel shows 'connected', but they cannot open the internal HR app.

Likely cause

There is a broad dynamic PAT rule for inside traffic, and no NAT-exempt rule for the RA pool, so the pool↔internal traffic is PATed instead of staying inside the tunnel.

Diagnosis

Run packet-tracer from a pool address to the HR app: it shows the packet being PATed to the outside interface IP rather than being NAT-exempt and routed to the internal subnet.

FMC ▸ Devices ▸ NAT ▸ (policy) ▸ Add Manual NAT (identity), Section 1
Fix

Add a Manual (twice) identity-NAT rule — source = RA pool, destination = internal subnets, translate each to itself — placed in NAT Section 1, above the dynamic PAT rule.

Verify

Re-run packet-tracer: the flow is now NAT-exempt and routed internally; remote users reach the HR app and the session counters increase.

Always add NAT-exempt for VPN, then prove it

Whether it is site-to-site or remote access, VPN-interesting traffic needs a NAT exemption so it is not PATed out of the tunnel. Do not assume it works — run packet-tracer from a tunnel source to the destination and confirm the flow is marked NAT-exempt and routed into the tunnel, not translated to the outside IP.

Quick check · Q4 of 10 · Apply

RA VPN users get an IP from the pool and the tunnel is up, but they cannot reach the internal app. packet-tracer shows their traffic being PATed. What is missing?

Correct: d. The pool↔internal traffic is being PATed before it can stay in the tunnel. A NAT-exempt (identity) rule for the pool and internal subnets in NAT Section 1, above the PAT rule, keeps the traffic on its real IP.
👉 So far: AAA via RADIUS/ISE, LDAP/AD, SAML for SSO, plus certificates and posture/DAP. And VPN-interesting traffic needs a NAT-exempt rule in Section 1 so it is not PATed.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What selects the encrypted traffic in a policy-based site-to-site VPN?

Correct: c. Policy-based VPN uses a crypto ACL to define the interesting traffic. Routing into a VTI is the route-based approach; pools and group policies belong to Remote Access.
Q6 · Understand

Which property makes a route-based (VTI) tunnel better for many subnets and dynamic routing?

Correct: a. A VTI is a real logical interface you route into, so dynamic routing protocols can run across the tunnel and you do not maintain a crypto ACL per subnet pair.
Q7 · Apply

You must connect 40 branches back to one data centre with the fewest tunnels to manage. Which FMC topology?

Correct: d. Hub-and-spoke has each branch tunnel back to a central hub — the standard, manageable enterprise pattern. Full mesh would create a tunnel between every pair of sites, which is far more to manage.
Q8 · Analyze

A site-to-site tunnel forms phase 1 but never completes phase 2. Where do you look first?

Correct: b. Phase 2 / the IPsec SA negotiates the data-protection parameters and (for policy-based) the interesting traffic. A phase-2 failure points to a transform/proposal mismatch or mismatched crypto ACLs, not phase-1 auth or RA components.
Q9 · Evaluate

Remote staff need single sign-on through the company's cloud identity provider. Which AAA option fits?

Correct: c. SAML lets the RA VPN connection profile authenticate users via SSO to a cloud identity provider. RADIUS/ISE and LDAP are other back-ends, but SAML is the SSO option asked for here.
Q10 · Evaluate

Across both S2S and RA VPN, what single configuration step keeps tunnel traffic from being PATed out of the tunnel?

Correct: a. VPN-interesting traffic must keep its real source IP. A NAT-exempt/identity rule for the source↔destination (or pool↔internal) subnets, placed in NAT Section 1 above the dynamic PAT rule, prevents it being translated out of the tunnel.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why might a Cisco Secure Client user authenticate, get an IP, see the tunnel as up, and still not reach the internal app? Then compare with the expert version.

Expert version: Because the tunnel being up only means IKE/IPsec negotiated — it says nothing about NAT. VPN-interesting traffic (here, the RA pool talking to the internal subnets) must keep its real source IP to stay in the tunnel. If a broad dynamic PAT rule catches it first, the source is translated to the outside interface IP and the traffic is PATed out instead of routed in-tunnel, so the internal app is unreachable. The fix is a Manual/twice identity NAT-exempt rule for the pool↔internal subnets placed in NAT Section 1, above the PAT rule. Phase 1 authenticates the peers, phase 2 protects the data, but the NAT exemption is what actually lets the carried traffic reach its destination — confirm it with packet-tracer.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

IKEv2 / IPsec
IKEv2 negotiates and manages keys; IPsec (ESP) encrypts and integrity-protects the data. Together they form the secure site-to-site tunnel.
Policy-based VPN
Site-to-site VPN where a crypto ACL selects the interesting traffic to encrypt. Precise but rigid, with no dynamic routing over the tunnel.
Route-based VPN / VTI
A Virtual Tunnel Interface you route traffic into; whatever is routed there is encrypted, so dynamic routing (BGP/OSPF) can run over the tunnel.
IKE SA (phase 1)
The first phase of an IPsec tunnel: it authenticates the peers (PSK or certificate) and builds the secure, encrypted management channel.
IPsec SA (phase 2)
The second phase: over the phase-1 channel it negotiates the keys and parameters (transform/proposal, PFS) that actually protect the data.
Cisco Secure Client
The rebranded AnyConnect remote-access client. It connects over SSL/TLS or IKEv2 and carries VPN plus posture and other modules.
Connection profile / group policy
The connection profile (tunnel-group) is what a user connects to and how they authenticate; the group policy defines what the session gets (split tunnel, DNS, timeouts).
AAA (RADIUS/ISE, LDAP, SAML)
Authentication back-ends for RA VPN: RADIUS to Cisco ISE, LDAP/Active Directory, or SAML for SSO to a cloud identity provider, plus certificate auth.
NAT exemption for VPN
An identity NAT (twice NAT) rule that keeps VPN-interesting traffic on its real IP so it is not PATed out of the tunnel. It sits in NAT Section 1, above the PAT rule.

📚 Sources

  1. Cisco — Cisco Secure Firewall Management Center Device Configuration Guide: Site-to-Site VPNs. cisco.com
  2. Cisco — Secure Firewall Threat Defense: Route-based (VTI) vs policy-based site-to-site VPN. cisco.com
  3. Cisco — FMC VPN topologies: point-to-point, hub-and-spoke and full mesh; IKEv2 IKE/IPsec phases. cisco.com
  4. Cisco — Remote Access VPN with Cisco Secure Client (formerly AnyConnect): connection profiles, group policies, address pools. cisco.com
  5. Cisco — RA VPN AAA: RADIUS/ISE, LDAP/AD, SAML SSO, certificate authentication and posture/DAP. cisco.com
  6. Cisco Tech Notes — Configure NAT exemption for site-to-site and remote-access VPN on Threat Defense. cisco.com

What's next?

Got VPN? Pair it with the NAT lesson — Auto vs Manual NAT and the Section 1-2-3 order — so you can place the NAT-exempt rule correctly, and then go deeper on identity (ISE/SAML) and posture for Remote Access.

Next · All interview lessons → Practice on exam.techclick.in →