Configure Tunnels with Cisco Adaptive Security Appliance

Follow the steps in this guide to connect a Cisco Adaptive Security Appliance (ASA) firewall through an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel to Cisco Secure Access.

Table of Contents

Prerequisites

You must meet licensing, hardware, and network access prerequisites for the tunnel to work successfully.

Licensing and Hardware

  • A valid Cisco Secure Access account.
  • A Cisco Secure Access organization ID. For more information, see Find Your Organization ID.
  • A Cisco ASA router with a security K9 license to establish an IPsec tunnel. Other devices may work but have not been tested.
  • ASA Base or Security Plus license to establish an IPsec tunnel.
  • A network tunnel group configured on Cisco Secure Access; see Add a Network Tunnel Group.

Network Access

  • When you add a network tunnel, we recommend that you choose the IP address based on the data center located closest to you.
  • Open UDP ports 500 and 4500.

Cisco ASA version 9.16 or lower devices require static public routable IPv4 address(es) configured on the interface that connects to the public internet and the Cisco Secure Access data center. This static public routable IPv4 address must not be subject to a NAT. If NAT is present, the tunnel will fail. This is because Cisco ASA IKEv2 PSK authentication automatically uses this directly configured IPv4 address as its IKE ID. This ID in combination with the PSK is used to successfully authenticate the ASA with Secure Access.

ASA 9.17 or above supports per tunnels identity and IKEv2 FQDN identity. Now that the ASA can be behind NAT, configure the tunnel in Secure Access as follows:

  • Tunnel type: Other
  • Authentication: FQDN
  • ASA IPsec profile configuration should include the extra command with tunnel identity (set ikev2 local-identity email-id [email protected])

Configure Tunnels in Secure Access

  1. Follow the steps in Add Network Tunnel Group.

The new tunnel appears in the Secure Access dashboard with a status of UnEstablished. The tunnel status is updated once it is fully configured and connected with the ASA.

Configure ASA

  1. Configure the IKEv2 policy. Define the settings according to the supported IPsec parameters. Choose the policy number based on your ASA's existing policies.
    • Replace the default device name called outside with the name configured on your device. The device name refers to the public facing interface which the VPN uses to connect.
crypto ikev2 policy 10
  encryption aes-gcm-256
  integrity null
  group 19
  lifetime seconds 86400
crypto ikev2 enable outside
  1. Configure the Group Policy and Tunnel Group parameters.
    • Enter the IP of a Secure Access data center.
    • Replace [Portal_Tunnel_Passphrase] with the Passphrase you configured in the previous section, Add Network Tunnel Group.
group-policy sse-policy internal
group-policy sse-policy attributes 
   vpn-tunnel-protocol ikev2
 
tunnel-group <sse_dc_ip> type ipsec-l2l
tunnel-group <sse_dc_ip> general-attributes 
  default-group-policy sse-policy
tunnel-group <sse_dc_ip> ipsec-attributes 
  ikev2 remote-authentication pre-shared-key 0 [Portal_Tunnel_Passphrase]
  ikev2 local-authentication pre-shared-key 0 [Portal_Tunnel_Passphrase]

👍

Validate that the command crypto isakmp identity is set to the default value "auto" to determine the correct ID Method for ISAKMP Peers.

  1. Configure IPsec proposal and profile parameters.
crypto ipsec ikev2 ipsec-proposal Secure-Access-Ipsec-Proposal
  protocol esp encryption aes-gcm-256
  protocol esp integrity sha-1

crypto ipsec profile Secure_Access
  set ikev2 ipsec-proposal Secure Access-Ipsec-Proposal
  !
  !Note: below command applies for v9.17+ only
  set ikev2 local-identity email-id [email protected]
  1. Create a virtual tunnel interface (VTI).
    • Enter the IP of a Secure Access data center.
    • Replace the Sample IP with any non-existing IP address that is not being used for a VLAN, subnet or existing VLAN connection in your network.
interface Tunnel1
   nameif vti
   ip address x.x.x.1 255.255.255.0 **An unused range**
   tunnel source interface outside
   tunnel destination<sse_dc_ip>
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile Secure_Access
  1. Configure policy-based routing. In the following examples, the LAN subnet is 192.168.20.0/24 and the LAN interface is GigabitEthernet1/2.
    • Configure PBR to send the internal traffic through the tunnel interface to reach the Secure Access data center.
    • Set the IP address in next-hop to the same subnet assigned to the VTI.
access-list ACL-sse line 1 extended permit ip 192.168.20.0 255.255.255.0 any4
 
route-map sse-PBR permit 10
  match ip address ACL-sse
  set ip next-hop x.x.x.2
 
interface GigabitEthernet1/2
  policy-route route-map sse-PBR

Test and Verify

ASA CLI
You can verify the ASA tunnel status to Secure Access by using these commands:

show crypto ikev2 sa detail
show crypto ipsec sa detail
1379 820

Use the following command to simulate a packet from the inside interface, with a specific source IP address and port and a specific destination IP address and port. The response indicates whether the packet flows through the tunnel.

packet-tracer input inside tcp 192.168.20.13 3520 72.163.4.161 443 detailed
 
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f8d35d7da90, priority=1, domain=permit, deny=false
    	hits=3848, user_data=0x0, cs_id=0x0, l3_type=0x8
    	src mac=0000.0000.0000, mask=0000.0000.0000
    	dst mac=0000.0000.0000, mask=0100.0000.0000
    	input_ifc=inside, output_ifc=any
 
Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map sse-pbr permit 10
 match ip address pbr-sse
 set ip next-hop 11.11.11.12
Additional Information:
 Matched route-map sse-pbr, sequence 10, permit
 Found next-hop 11.11.11.12 using egress ifc vti
 
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f8d34b62c90, priority=0, domain=nat-per-session, deny=false
    	hits=459, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=any, output_ifc=any
 
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f8d35d85db0, priority=0, domain=inspect-ip-options, deny=true
    	hits=456, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=inside, output_ifc=any
 
 
 
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f8d35dfabc0, priority=70, domain=encrypt, deny=false
    	hits=152, user_data=0x78dc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=any, output_ifc=vti
 
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f8d36c3cd90, priority=69, domain=ipsec-tunnel-flow, deny=false
    	hits=152, user_data=0x84dc, cs_id=0x0, reverse, flags=0x0, protocol=0
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=vti, output_ifc=any
 
 
 
 
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f8d34b62c90, priority=0, domain=nat-per-session, deny=false
    	hits=461, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=any, output_ifc=any
 
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f8d35e547a0, priority=0, domain=inspect-ip-options, deny=true
    	hits=291, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=vti, output_ifc=any
 
 
 
 
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 547, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
 
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
 
 
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: vti
output-status: up
output-line-status: up
Action: allow

Configure Tunnels with Cisco ISR < Configure Tunnels with Cisco Adaptive Security Appliance > Configure Tunnels with Cisco Secure Firewall