Create a Site-to-Site VPN Between On-Prem Firewall Management Center-Managed Threat Defense and ASA

Procedure

Step 1

In the navigation pane, choose VPN > Site-to-Site VPN.

Step 2

Click the create tunnel () button on the top-right corner and click Site-to-Site VPN with the FMC Managed Device / ASA label.

Step 3

In the Configuration Name field, enter a name for the site-to-site VPN configuration you create.

Step 4

Click the Route Based radio button.

Step 5

In the Peer Devices area, provide the following information:

  1. Peer 1: From the Device drop-down list, choose a threat defense managed by an on-prem management center. The device type is FMC FTD.

  2. Peer 2: From the Device drop-down list, select an ASA device. The device type is ASA.

  3. VPN Access Interface: Choose the virtual tunnel interfaces of both peers. The peer 2 (ASA) connects peer 1 (on-prem management center-managed threat defense through the VPN access interface of peer 1. Similarly, peer 1 (on-prem management center-managed threat defense) connects peer 2 (ASA) through the VPN access interface of peer 2.

    Note

    CDO does not provide the functionality to create virtual tunnel interfaces for the on-prem management center-managed threat defense devices, instead it only displays pre-existing interfaces of the on-prem management center. Therefore, you must configure them from the on-prem management center before creating a tunnel in CDO.

  4. LAN Interfaces: Choose the LAN interfaces of both peers that control the LAN subnets. You can select multiple interfaces.

    The networks attached to the selected LAN interfaces will be added to the routing policy access list. The traffic matching the routing policy access list will be encrypted/decrypted by the VPN tunnel.

  5. Routing: Click Add Network and choose protected networks from each peer to create a site-to-site tunnel between them.

  6. Click Next.

Step 6

In the Tunnel Details area, the VTI Address specifies the addresses for the new Virtual Tunnel Interfaces on the peers. CDO provides a sample address which you can change if it causes conflict. You can assign any unused IP address that is currently not used on this device.

Step 7

In the IKE Settings area, choose the IKE version for the Internet Key Exchange (IKE) negotiations and specify the privacy configurations. For more information on the IKE policies, see Configuring the Global IKE Policy.

Based on your configuration, CDO suggests the IKE settings. You can either continue with the recommended IKE configuration settings or configure a new one.

Note

Enabling both IKE versions is not allowed for route-based VPN.

  1. Enable any one IKE version that you want.

    By default, the IKEV Version 2 protocol is enabled.

  2. To configure IKE Version 2, enable IKE Version 2 and click Add IKEv2 Policies to select the policies you want. The IKEv2 policies must be selected for both peers.

    CDO generates a default Pre-Shared Key for peer 1. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.

  3. To configure IKE Version 1, enable IKE Version 1 and click Add IKEv1 Policies to select the policies you want. The IKEv1 policies must be selected for both peers.

    CDO generates a default Pre-shared Key which can be modified.

  4. Click Next.

Step 8

In the IPSec Settings area, provide the following information:

  1. Click Add IKE IPSec Proposals to select the IKE IPSec configuration. The proposals are available depending on the selection that is made in the IKE Settings step. The IKEv2 IPSec proposals policies must be selected for both peers. For more information, see Configuring IPSec Proposals.

  2. (Optional) Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Encryption and Hash Algorithms Used in VPN

  3. Click Next.

Step 9

In the Finish area, read the configuration and continue further only if you’re satisfied with your configuration.

  • By default, the Deploy changes to ASA immediately check box is checked to deploy the configurations immediately to the ASA device after clicking Submit.

    If you want to review and deploy the configurations manually later, then uncheck this check box.

Step 10

Click Submit.

The configurations are automatically pushed from CDO to on-prem management center.

Step 11

Perform the following steps to deploy the configuration manually to an on-prem management center-managed threat defense device.

  1. Login to the on-prem management center and choose Devices > VPN > Site To Site. You can see the same VPN topology that was configured in CDO.

  2. Deploy these changes to your threat defense. See Configuration Deployment in the Cisco Secure Firewall Management Center Device Configuration Guide for more information.