{"pageModel":{"attributes":{"id":"","name":"121339.dita","viewName":"DitaDetail"},"elements":{"ditaContent":{"name":"DITAContent","value":"
\r\n

Configure Tunnels with Cisco Adaptive Security Appliance

\r\n
\r\n
\r\n

This guide walks you through connecting a Cisco Adaptive Security Appliance (ASA) firewall\r\n to Cisco Secure Access using one or two IKEv2 IPsec tunnels via Virtual Tunnel Interfaces\r\n (VTI).

\r\n
\r\n
\r\n
\r\n

Before you begin

\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\nTable 1. \r\nCisco Secure Access requirements\r\n
RequirementDetails
Cisco Secure Access accountA valid, active account
Organization IDRefer to Find Your Organization ID\r\n
Network Tunnel GroupMust be pre-configured in Secure Access. Refer to Add a Network Tunnel Group\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n\r\n
 		\r\n
When adding a network tunnel group, select the data center closest to your\r\n ASA's geographic location to minimize latency.
\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\nTable 2. \r\nCisco ASA requirements\r\n
RequirementDetails
HardwareCisco ASA firewall
LicensingSecurity K9 license and ASA Base or Security Plus license
SoftwareASA 9.x with IKEv2 support (refer to ASA version and NAT and IKEv2\r\n identity below)
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\nTable 3. \r\nNetwork requirements\r\n
RequirementDetails
UDP port 500Open outbound (IKE negotiation)
UDP port 4500Open outbound (NAT Traversal)
Outbound connectivityNo firewall blocks to Cisco Secure Access data center IPs
\r\n

Your ASA software version determines how IKEv2 identity is handled and whether the ASA can\r\n operate behind NAT.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\nTable 4. \r\nASA version and NAT and IKEv2 identity\r\n
ASA 9.16 and EarlierASA 9.17 and Later
NAT supportNot supported — ASA must not be behind NATSupported — ASA can be behind NAT
IKEv2 identityAutomatically uses the interface IPv4 addressSupports per-tunnel identity and FQDN identity
External interface IPMust be a static, publicly routable IPv4 address configured directly on the\r\n ASA interfaceNo restriction
Secure Access tunnel typeStandard configurationSet Tunnel Type to Other and\r\n Authentication to FQDN\r\n
Additional ASA configNoneAdd to IPsec profile: set ikev2 local-identity email-id\r\n <tunnel-identity>@<org-id>.sse.com\r\n
\r\n

\r\n

On ASA 9.16 and earlier, the ASA automatically uses its external interface IPv4 address as\r\n the IKEv2 identity. This identity, combined with the pre-shared key (PSK), authenticates the\r\n tunnel. If NAT translates this address, the IKEv2 identity will not match what Secure Access\r\n expects, and authentication will fail.

\r\n

ASA 9.17 introduced the ability to explicitly set a per-tunnel FQDN identity, decoupling\r\n the IKEv2 identity from the interface address. This resolves the NAT identity mismatch.

\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n\r\n
 		\r\n
If your ASA is on version 9.16 or earlier and is behind NAT, the tunnel\r\n will not establish. Either assign a static public IP directly on the ASA's external\r\n interface, or upgrade to ASA 9.17 or later.
\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n\r\n
 		\r\n
Note: The <tunnel-identity> and <org-id> values\r\n in the set ikev2 local-identity command are generated when you configure\r\n the network tunnel group in Secure Access. Refer to Add a Network Tunnel Group for details.
\r\n
\r\n
\r\n
\r\n

\r\n

Procedure

\r\n\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
1\r\n

Gather the following from the Cisco Secure Access dashboard after you create your\r\n Network Tunnel Group. Refer to Add a Network Tunnel Group for instructions.

\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
ValueDescriptionUsed in
Primary data center IPIP address of the primary Secure Access data centerSteps 3, 5
Secondary data center IPIP address of the secondary Secure Access data centerStep 6
Primary tunnel IDTunnel identity for the primary tunnelSteps 3, 5
Secondary tunnel IDTunnel identity for the secondary tunnelStep 6
PassphrasePre-shared key configured for the tunnel groupStep 3
\r\n
\r\n
2\r\n

\r\nConfigure the IKEv2 policy\r\n

\r\n
    \r\n
  1. \r\n

    Define the IKEv2 policy settings according to the Supported IPsec Parameters.

    \r\n
    2. \r\n
  2. \r\n

    Choose the policy number based on your ASA's existing policies. In the following\r\n example, the policy number is 10.

    \r\n
    3. \r\n
  3. \r\n

    Replace outside with the name of the public-facing interface your\r\n ASA uses for VPN connectivity, if different.

    \r\n
    4. \r\n
\r\n
\r\n
\r\ncrypto ikev2 policy 10\r\n  encryption aes-gcm-256\r\n  integrity null\r\n  group 19\r\n  lifetime seconds 86400\r\ncrypto ikev2 enable outside\r\n
\r\n
\r\n
3\r\n

\r\nConfigure the Group Policy and Tunnel Group\r\n

\r\n
    \r\n
  1. \r\n

    Configure the group policy and tunnel group for the primary data center\r\n connection.

    \r\n
    2. \r\n
  2. \r\n

    Replace the following placeholders. Refer to Add a Network Tunnel Group.

    \r\n
    \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
    PlaceholderReplace With
    \r\n<Primary data center IP address>\r\nIP address of the primary Secure Access data center
    \r\n<Portal_Tunnel_Passphrase>\r\nThe passphrase you configured for the network tunnel group
    \r\n
    \r\ngroup-policy sse-policy internal\r\ngroup-policy sse-policy attributes \r\n   vpn-tunnel-protocol ikev2\r\n \r\ntunnel-group <Primary data center IP address> type ipsec-l2l\r\ntunnel-group <Primary data center IP address> general-attributes \r\n  default-group-policy sse-policy\r\ntunnel-group <Primary data center IP address> ipsec-attributes \r\n  ikev2 remote-authentication pre-shared-key 0 \\[Portal_Tunnel_Passphrase\\]\r\n  ikev2 local-authentication pre-shared-key 0 \\[Portal_Tunnel_Passphrase\\]\r\n
    \r\n
    \r\n
    \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
    \r\n\r\n
         		\r\n
    Validate that the crypto isakmp identity command is\r\n set to the default value auto. This ensures the correct ID method\r\n is used for ISAKMP peers.
    \r\n
    \r\n
    \r\n
    3. \r\n
\r\n
4\r\n

\r\nConfigure the IPsec Proposal and Profile (Primary tunnel)\r\n

\r\n
    \r\n
  1. \r\n

    Define the IPsec proposal and profile according to the Supported IPsec Parameters.

    \r\n
    2. \r\n
  2. \r\n

    Replace <Primary tunnel ID> with the tunnel identity for\r\n your primary tunnel from the Secure Access dashboard.

    \r\n
    3. \r\n
\r\n
\r\n
\r\ncrypto ipsec ikev2 ipsec-proposal Secure-Access-Ipsec-Proposal\r\n  protocol esp encryption aes-gcm-256\r\n  protocol esp integrity sha-1\r\n\r\ncrypto ipsec profile Secure-Access-Primary\r\n  set ikev2 ipsec-proposal Secure-Access-Ipsec-Proposal\r\n  !\r\n  !Note: below command applies for v9.17+ only\r\n  set ikev2 local-identity email-id <Primary tunnel ID>\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n\r\n
 		\r\n
The set ikev2 local-identity command applies to ASA\r\n 9.17 and later only. Omit this line for ASA 9.16 and earlier.
\r\n
\r\n
\r\n
5\r\n

\r\nCreate the Virtual Tunnel Interface (Primary tunnel)\r\n

\r\n
    \r\n
  1. \r\n

    Create a VTI for the primary tunnel.

    \r\n
    2. \r\n
  2. \r\n

    Replace the following placeholders:

    \r\n
    \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
    PlaceholderReplace With
    \r\n<Primary data center IP address>\r\nIP address of the primary Secure Access data center
    \r\n<VTI IP address> <subnet mask>\r\nAn unused IP address and subnet not assigned to any existing VLAN,\r\n subnet, or interface in your network (for example, 169.254.1.1\r\n 255.255.255.252)
    \r\n
    \r\ninterface Tunnel1\r\n   nameif vti\r\n   ip address <VTI IP address> <subnet mask>\r\n   tunnel source interface outside\r\n   tunnel destination <Primary data center IP address>\r\n   tunnel mode ipsec ipv4\r\n   tunnel protection ipsec profile Secure-Access-Primary\r\n
    \r\n
    \r\n
    3. \r\n
\r\n
6\r\n

\r\nConfigure the Secondary tunnel\r\n

\r\n
\r\n

To add a secondary tunnel for redundancy, repeat Steps 3 through 5 with the following\r\n changes:

\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
ParameterPrimary tunnelSecondary tunnel
Data center IPPrimary data center IPSecondary data center IP
Tunnel IDPrimary tunnel IDSecondary tunnel ID
IPsec profile name\r\nSecure-Access-Primary\r\n\r\nSecure-Access-Secondary\r\n
VTI interface name\r\nTunnel1 / vti-primary\r\n\r\nTunnel2 / vti-secondary\r\n
VTI IP addressFrom one unused subnetFrom a different unused subnet
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n\r\n
 		\r\n
The group policy (sse-policy) and IPsec proposal\r\n (Secure-Access-Ipsec-Proposal) created in Steps 2 and 3 can be\r\n reused. You must create a separate IPsec profile and VTI for the secondary\r\n tunnel.
\r\n
\r\n
\r\n
7\r\n

\r\nConfigure policy-based routing (PBR)\r\n

\r\n
    \r\n
  1. \r\n

    Configure PBR to direct internal traffic through the tunnel interface to Secure\r\n Access.

    \r\n
    2. \r\n
  2. \r\n

    In the following example:

    \r\n
    \r\n
      \r\n
    • LAN subnet: 192.168.20.0/24\r\n
      • \r\n
    • LAN interface: GigabitEthernet1/2\r\n
      • \r\n
    • Next-hop IP: An IP address in the same subnet assigned to the primary VTI
      • \r\n
    \r\n
    \r\n
    3. \r\n
\r\n
\r\n
\r\naccess-list ACL-sse line 1 extended permit ip 192.168.20.0 255.255.255.0 any4\r\n \r\nroute-map sse-PBR permit 10\r\n  match ip address ACL-sse\r\n  set ip next-hop x.x.x.2\r\n \r\ninterface GigabitEthernet1/2\r\n  policy-route route-map sse-PBR\r\n
\r\n
\r\n
8\r\n

\r\nVerify the tunnel\r\n

\r\n
    \r\n
  1. \r\n

    Check IKEv2 and IPsec status: Run the following commands from the ASA CLI.

    \r\n
    \r\n
    \r\nshow crypto ikev2 sa detail\r\nshow crypto ipsec sa detail\r\n
    \r\n
    \r\n
    2. \r\n
  2. \r\n

    Simulate traffic with packet tracer: Use the packet-tracer command\r\n to confirm that traffic from the inside interface routes through the tunnel.

    \r\n
    \r\n
    \r\npacket-tracer input inside tcp <source IP> <source port> <destination IP> <destination port> detailed\r\n
    \r\n

    Example:

    \r\n
    \r\n
    \r\n
    \r\npacket-tracer input inside tcp 192.168.20.13 3520 72.163.4.161 443 detailed\r\n
    \r\n
    \r\n
    3. \r\n
\r\n
In a successful configuration, the output includes the following key\r\n phases:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
PhaseTypeExpected resultWhat it confirms
1ACCESS-LISTALLOWTraffic is permitted on the inside interface
2PBR-LOOKUPALLOWPolicy-based routing matches the route map and identifies the VTI as the\r\n egress interface
5VPN (encrypt)ALLOWTraffic is selected for encryption on the VTI
6VPN (ipsec-tunnel-flow)ALLOWIPsec tunnel flow is established
9FLOW-CREATIONALLOWA new traffic flow is created and dispatched
\r\n

The final Result section should\r\n show:

\r\n
\r\noutput-interface: vti\r\nAction: allow\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n\r\n
 		\r\n
If any phase shows DROP or if the\r\n output interface is not vti, review your PBR configuration, tunnel\r\n group settings, and IPsec profile.
\r\n
\r\n
\r\n
\r\n
After completing this guide, your ASA will:
    \r\n
  • Establish two authenticated IKEv2 IPsec tunnels to Secure Access
    • \r\n
  • Route designated internal traffic through the tunnel via policy-based routing
    • \r\n
  • Authenticate using a pre-shared key combined with IKEv2 identity
    • \r\n
  • Connect to the nearest Cisco Secure Access data center(s)
    • \r\n
\r\n
\r\n
\r\n
\r\n","ditaVal":"","format":"html"},"bookTitle":{"value":""},"shortDescription":{"value":""}}},"parameters":{"appId":"SecureAccess","topicAlias":"configure-tunnels-cisco-asa"}}