Cisco Security
Cisco Secure Access is a cloud security platform that protects your organization against internet threats. It provides secure connectivity not just to the Internet and SaaS applications, but also to your private resources - regardless of whether users are on your corporate network or connecting remotely.
Tunnels and tunnel groups are essential for managing connections between data centers and Cisco Secure Access. IPsec IKEv2 tunnels create fast, secure private network connections to applications. Users can access private resources through these tunnels using VPNs or ZTA connections.
In this guide, we'll walk through the process of configuring a site-to-site tunnel between a Cisco Firepower Threat Defense (FTD) device and Cisco Secure Access.
Step 1 - Configure Tunnel in CSA
In Secure Access, navigate to Connect > Network Connections.
Select Network Tunnel Groups.
Add a new Network Tunnel Group.
Get started configuring your tunnel by specifying a Tunnel Group Name, Region, and Device Type - FTD in this example.
For Tunnel ID Format, use Email. Create a Tunnel ID and Passphrase of your choosing.
You have two choices for routing options: dynamic routing using BGP or static routing. In this example, I'm using static routing.
You might want to download the CSV for reference later.
Step 2 - Configure Tunnel in FMC
In FMC, navigate to Devices > VPN > Site to Site.
Add a Site to Site VPN.
Name your topology, and select Route Based (VTI).
For Node A, select FTD as the Device.
Create a new VTI by clicking on the + button.
Use the default settings.
Select Send Local Identity to Peers. Use Email ID. Enter the Primary Tunnel ID that was generated in Secure Access.
For Node B, select Extranet as the Device. This tunnel will connect to the primary SA server. Use the IP address of the primary SA server in the configuration.
Click on the IKE tab. Under IKEv2 Settings, for authentication type, select Pre-Shared Manual Key. Enter the Passphrase from Secure Access.
Finally, click on the Advanced tab. For IKE settings, select the Do not check option for Peer Identity Validation.
Repeat the steps above to create a tunnel between FTD and the Secondary DC.
Step 3 - Configure Policy-Based Routing in FMC
In FMC, navigate to Objects > Object Management. Select Access List > Extended. Then click Add Extended Access List.
If necessary, a block rule to prevent traffic - e.g., local traffic - from traversing your tunnel. Create an allow rule to allow all other traffic to traverse your tunnel. The source for this allow rule should be the IP Addresses of the primary and secondary CSA data centers.
In FMC, navigate to Devices > Device Management. Select your FTD Device. Then select Routing.
Click on Policy Based Routing. Then click Add.
Select the Ingress Interface.
Click Add. Select the ACL you created earlier. Add the VTIs you created to the Egress Interfaces List.
Step 4 - Configure Access Policy
If necessary, add an access entry allowing traffic from inside the network to the Secure Access tunnel.
Step 5 - Verify
You have a few ways of verifying the functionality of your tunnel. A short and sweet way to do so is to set up browser-based ZT access for an app that is serviced via your FTD.
Conclusion
Setting up secure tunnels between your FTD device and Cisco Secure Access creates a robust foundation for protecting your network resources. By following this configuration guide, you've established encrypted pathways that enable secure access to both internet and private applications, while maintaining the visibility and control needed to protect against threats. Whether your users connect from the office or remotely, they can now safely access the resources they need through this secure infrastructure.
Please get in touch with any questions or comments you might have about using Secure Access.