Configure a SASE Tunnel for Umbrella

Use the following procedure to create a SASE tunnel for an Umbrella organization:

Before you begin

Note that the Umbrella organization and the ASA device you want to create the tunnel for must already be onboarded to CDO.

If the ASA or Umbrella organization associated with the tunnel you just deployed is in an unhealthy state, CDO may not be able to successfully deploy the tunnel. If you experience any issues, contact Cisco TAC.

Procedure

Step 1

Log into CDO.

Step 2

Navigate to the VPN window. Select Site-to-Site VPN.

Step 3

Click the blue plus button and select Create SASE Tunnel.

Step 4

Enter the Umbrella Peer information:

  • Select Umbrella - Select the Umbrella organization of your choice.

  • Datacenter - Select a head-end datacenter. We recommend selecting a datacenter that is geographically close to the ASA associated with the Umbrella organization.

Step 5

Enter the ASA Peer information:

  • Select ASA Device - Select an ASA device that is associated with the Umbrella organization from the drop-down list and then click Select.

  • Public Facing Interface - Select an IPv4 address that is static and publicly routable. The address used should not be used for NAT.

  • LAN Address - Select the LAN interfaces that controls the LAN subnet. You must select at least one interface for LAN.

  • Virtual Tunnel Interface - This field is automatically filled once you select the Umbrella organization and the ASA peer device. If necessary, you can manually enter an IP address that will be used as the new VTI.

Step 6

The Passphrase is automatically filled once you select the Umbrella organization and the ASA peer device. The Confirm Passphrase is also automatically filled. You can manually enter these fields if necessary.

Step 7

(Optional) The Deploy changes to ASA immediately toggle at the bottom of the pop-up window is enabled by default. When enabled, the SASE tunnel configuration is immediately deployed to the ASA peer selected in the tunnel configuration. If you want to stage changes and deploy later, manually toggle the option to disable.

Step 8

Click Deploy. Optionally, click Deploy and Create Another to simultaneously deploy this SASE tunnel and create another tunnel. Once deployed, the tunnel will appear in the VPN Tunnels page. If you choose to Deploy and Create Another SASE tunnel, CDO saves both the Umbrella organization selection and the Deploy changes to ASA immediately toggle setting and automatically applies these selections to the next tunnel configuration. You can manually alter these selections prior to deploying.