Create a Site-to-Site VPN Between ASA and Multicloud Defense Gateway

Use the following procedure to create a VPN tunnel between an ASA device that is managed by CDO and Multicloud Defense Gateway from the CDO dashboard:

Before you begin

Ensure that the following prerequisites are met:

The ASA device must not have any pending changes.
Create a BGP profile in the ASA console prior to creating a VPN tunnel. See Configure ASA Border Gateway Protocol for more information.
The Multicloud Defense Gateway must be in the Active state.
The Multicloud Defense Gateway must be VPN enabled. See Enable VPN within the gateway.
Read the ASA site-to-site VPN limitations and guidelines for more information.
Read the Multicloud Defense Gateway prerequisites and limitations for more information.

Procedure

Step 1	In the left pane, choose VPN > Site-to-Site VPN.
Step 2	Click the create tunnel () button on the top-right corner and click Site-to-Site VPN with the Multicloud Defense label.
Step 3	In the Configuration Name field, enter a name enter a name for the site-to-site VPN configuration you create.
Step 4	In the peer devices area, provide the following information: Device 1: From the drop-down list, click the ASA tab and select the ASA device you want. Device 2: From the drop-down list, click the Multicloud Defense tab and select the gateway you want. VPN Access Interface: Select an ASA interface to be used for connecting to the Multicloud Defense. Public IP (optional): Specify the public IP address of the NAT that maps to the outside interface of the selected ASA. Routing : Click Add Networks and select one or more protected networks from ASA to create a site-to-site tunnel between the selected networks and the Multicloud Defense Gateway.
Step 5	Click Next.
Step 6	In the Tunnel Details area, provide the following information: Virtual Tunnel Interface IP: Specify the addresses for the new Virtual Tunnel Interfaces on the peers. CDO provides a sample address for ASA which you can change if it causes conflict. You can assign any unused IP address that is currently not used on this device. Autonomous System Number (Peer 1): If the ASA device does not have an autonomous system number configured, CDO will suggest one for the device, which can be modified. If the device already has an autonomous system number configured, the current value will be displayed and cannot be modified. Autonomous System Number (Peer 2): If a BGP profile is assigned to the Multicloud Defense Gateway, the autonomous number associated with the profile is displayed, which cannot be modified. See Add a Multicloud Defense Gateway.
Step 7	Click Next.
Step 8	In the IKE Settings area, CDO generates a default Pre-Shared Key. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.
Step 9	Click Next.
Step 10	In the Finish area, review the configuration and continue further only if you’re satisfied with the configuration. By default, the Deploy changes to ASA immediately check box is checked to deploy the configurations immediately to the ASA device after clicking Submit. If you want to review and deploy the configurations manually later, then uncheck this check box.
Step 11	Click Submit. The configurations are pushed to the Multicloud Defense Gateway.

The VPN page in CDO shows the site-to-site tunnel created between the peers. You will be able to see the corresponding tunnel in the Multicloud Defense Gateway portal.