Create a Site-to-Site VPN Between ASA and Multicloud Defense Gateway

If you are a new customer and you want to use Firewall Manager to configure a site-to-site VPN between Multicloud Defense and an ASA device, contact Cisco Technical Assistance Center (Cisco TAC) to enable this feature.

To manually configure a site-to-site VPN between ASA and Multicloud Defense, you can configure the VPN in the Multicloud Defense application and also on the ASA device manually, and bring up the site-to-site VPN.

You can create site-to-site IPsec connections between an ASA and a Multicloud Defense Gateway that complies with all relevant standards. After the VPN connection is established, the hosts behind the firewall can connect to the hosts behind the gateway through the secure VPN tunnel.

Multicloud Defense currently supports Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), and Oracle OCI cloud accounts.

Use the following procedure to create a VPN tunnel between an ASA device that is managed by Firewall Manager and Multicloud Defense Gateway from the Firewall Manager dashboard:

Before you begin

Ensure that the following prerequisites are met:

The ASA device must not have any pending changes.
Create a BGP profile in the ASA console prior to creating a VPN tunnel. See Configure ASA Border Gateway Protocol for more information.
The Multicloud Defense Gateway must be in the Active state.
The Multicloud Defense Gateway must be VPN enabled. See Enable VPN within the gateway.
Read the ASA site-to-site VPN limitations and guidelines for more information.
Read the Multicloud Defense Gateway prerequisites and limitations for more information.

Procedure

1	In the Security Cloud Control platform menu, choose Products > Firewall.
2	In the left pane, choose Manage > Secure Connections > Network Connections > Site to Site VPN.
3	Click the Create Tunnel () icon and then click Site-to-Site VPN.
4	In the Peer Selection area, provide the following information: Configuration Name: Enter a unique topology name. Peer 1: Click the ASA tab and select a Secure Firewall ASA device. Peer 2: Click the Multicloud Defense tab and select a multicloud gateway. If you choose an extranet device, select Static and specify an IP address or select Dynamic for extranet devices with DHCP assigned IP. The IP Address displays the IP address for static interface or DHCP Assigned for the dynamic interface.
5	Click Next.
6	In the Peer Details area, provide the following information: VPN Access Interface: Select the interface for Secure Firewall ASA to establish a connection with Multicloud Defense Gateway. LAN Interfaces: Select the interface for Secure Firewall ASA that controls the LAN subnet. You can select multiple interfaces Public IP (optional): Specify the public IP address of the NAT that maps to the outside interface of the selected Secure Firewall ASA. Routing: Click Add Networks and select one or more protected networks for Secure Firewall ASA to establish a site-to-site tunnel with Multicloud Defense Gateway.
7	Click Next.
8	In the Tunnel Details area, provide the following information: Virtual Tunnel Interface IP: Specify the addresses for the new Virtual Tunnel Interfaces on the peers. Firewall Manager provides a sample address for Secure Firewall ASA which you can change if it causes conflict. You can assign any unused IP address that is currently not used on this device. Autonomous System Number (Peer 1): If the Secure Firewall ASA device does not have an autonomous system number configured, Firewall Manager will suggest one for the device, which can be modified. If the device already has an autonomous system number configured, the current value will be displayed and cannot be modified. Autonomous System Number (Peer 2): If a BGP profile is assigned to the Multicloud Defense Gateway, the autonomous number associated with the profile is displayed, which cannot be modified. See Add a Multicloud Defense Gateway.
9	Click Next.
10	In the IKE Settings area, Firewall Manager generates a default Local Pre-Shared Key. This is a secret key string that is configured on the peers. IKE uses this key during the authentication phase. It is used to verify each other when establishing a tunnel between the peers.
11	In the Finish area, review the configuration and continue further only if you’re satisfied with the configuration. By default, the Deploy changes to ASA immediately check box is checked to deploy the configurations immediately to the ASA device after clicking Submit. If you want to review and deploy the configurations manually later, then uncheck this check box.
12	Click Submit. The configurations are pushed to the Multicloud Defense Gateway.

The VPN page in Firewall Manager shows the site-to-site tunnel created between the peers. You will be able to see the corresponding tunnel in the Multicloud Defense Gateway portal.

Previous topic Create a Site-to-Site VPN Tunnel Between Secure Firewall ASA Next topic Exempt Site-to-Site VPN Traffic from NAT