Introduction
This document describes the step-by-step configuration of a Site-to-Site Secure Internet Gateway (SIG) VPN tunnel on Secure Firewall Threat Defense.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Umbrella Admin Portal
- Secure Firewall Management Center (FMC)
Components Used
The information in this document is based on these software and hardware versions.
- Umbrella Admin Portal
- Secure Firewall Version 7.2
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Network Diagram
![Network Diagram](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-00.png)
Umbrella Network Tunnel Configuration
Network Tunnel
Login to Umbrella Dashboard:
![Network Tunnels Tab](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-01.png)
Navigate to Deployments > Network Tunnels > Add
.
Add a New Tunnel, choose the device type as FTD, and name it appropriately.
![Add a New Tunnel](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-02.png)
Enter the Public IP address of the FTD along with a secure pre-shared key.
Attach the tunnel to the appropriate site for firewalling and traffic inspection policies.
![Configure Tunnel Parameters](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-03.png)
Configuration from Umbrella Portal is now complete.
Navigate to Umbrella Portal when the tunnel is connected in order to confirm the VPN status.
Secure Firewall Management Center Configuration
Configure Site-to-Site
Navigate to Devices > Site-to-Site
:
![Configure Site-to-Site](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-04.png)
Add New Site-to-Site Tunnel
Name the Topology and choose Route-based VTI:
![Create a New VPN Topology](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-05.png)
Add a New Virtual Tunnel Interface
- Name the Tunnel Interface
- Apply a New Security Zone to the Interface
- Assign a Tunnel ID number between 0-10413
- Choose Tunnel source (Interface with Public IP defined in Umbrella Portal)
- Create a non-routable/30 subnet for use with the VPN. For example, 169.254.72.0/30
![Add a New Virtual Tunnel Interface](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-06.png)
Configure Topology Nodes
Assign FTD to Node A and Umbrella to Extranet Node B:
![Assign Devices to Topology](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-07.png)
Endpoint IP addresses for use with Umbrella Data Centers can be found here.
Choose the Data Center that is closest to the physical location of the device.
Define IKEv2 Phase 1 Parameters:
Acceptable parameters for tunnel negotiation can be found here.
Navigate to the IKE tab and create a new IKEv2 Policy:
- Assign appropriate priority to avoid it from conflicting with the existing policies.
- Phase 1 lifetime is 14400 seconds.
![Create a New IKEv2 Policy](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-08.png)
![Configure IKEv2 Phase 1 Parameters](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-09.png)
Define IPsec Phase 2 Parameters:
- Acceptable parameters for tunnel negotiation can be found here.
- Navigate to the
IPsec
tab and create a new IPsec Proposal.
![Create IKEv2 IPsec Proposal](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-10.png)
Ensure that Phase 2 parameters match this:
![Review IPsec Configuration](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-11.png)
Save Topology and Deploy to the Firewall.
Configure Policy Based Routing (PBR)
Navigate to Devices > Device Management > Select the FTD/HA Pair > Routing > Policy Based Routing
.
Add New Policy.
![Add a New Policy-Based Routing Configuration](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-12.png)
Configure the Forwarding Actions:
![Configure Forwarding Options](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-13.png)
Create the Match ACL for the traffic that must navigate through the SIG tunnel:
![Create a New Extended ACL](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-14.png)
Add Access Control Entries defining the Umbrella SIG traffic:
![Add ACE for SIG Traffic](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-15.png)
-
- Source Networks define internal traffic.
- Destination Networks are the remote networks that must be inspected by Umbrella.
Completed Extended ACL:
![Review the New Extended ACL](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-16.png)
Configure Send To
:
![Configure Send To Destination](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-17.png)
Define the Send To
IPv4 address as the second available IP in the /30 subnet.
Note: This IP address is not defined in Umbrella. It is only needed for traffic forwarding.
Completed PBR:
![Completed PBR Configuration](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-18.png)
Make note of the ingress interface, this is needed later for Access Control Policy (ACP) and Network Address Translation (NAT) configuration.
Save Configuration and Deploy to the Firewall.
Configure NAT and ACP
Navigate to Devices > NAT
.
Create a new manual NAT rule like this:
![Create a New NAT Rule](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-19.png)
-
- Source Interface – Internal protected source.
- Destination Interface – Any – This allows the traffic to be diverted to the VTI.
Translation:
![Configure Translation](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-20.png)
-
- Original and Translated Source - Internal protected network object
- Original and Translated Destination – any4 – 0.0.0.0/0
Navigate to Policy > Access Control
.
Create a new ACP rule like this:
![Create a New ACP Rule](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-21.png)
-
- Source Zone – Internal Protected Source.
- Destination Zone – VTI Zone – This allows the traffic to be diverted to the VTI.
Networks:
![Define Permitted Traffic](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-22.png)
-
- Source Networks - Internal protected network object(s)
- Destination Networks – any4 – 0.0.0.0/0
Save the configuration and deploy it to the Firewall.
Verify
Site-to-Site Monitoring
Verify tunnel status with the Secure Firewall Management Center (FMC) Site-to-Site Monitoring tool.
Navigate to Devices > Site to Site Monitoring
.
![Navigate to Site-to-Site Monitoring](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-23.png)
Verify that the tunnel status is now connected:
![Verify Tunnel Status in FMC](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-24.png)
Hovering the cursor over the topology displays more detailed options. This can be used to inspect packets moving in and out of the tunnel along with tunnel up time and various other tunnel stats.
Umbrella Dashboard
From the Dashboard, navigate to Active Network Tunnels
. There must be a blue ring indicating that the tunnel is connected.
![Verify Tunnel Status in Umbrella Dashboard](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-25.png)
Expand the appropriate tunnel in order to see more details about traffic flowing through the tunnel:
![show details of VPN in Umbrella Dashboard](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-26.png)
Tunnel showing as Active with data traversing the tunnel.
Internal Host
From an internal host that has its traffic traverse the tunnel, perform a public IP lookup from a web browser. If the public IP shown falls inside these two ranges, the device is now protected by SIG.
![Internal Host Verification Test](/c/dam/en/us/support/docs/security/secure-firewall-threat-defense/220661-secure-firewall-configure-umbrella-sec-27.png)
Firewall Threat Defense CLI
Show commands:
show crypto ikev2 sa
show crypto ipsec sa
show vpn-sessiondb l2l filter ipaddress Umbrella-DC-IP
Troubleshoot
Firewall Threat Defense CLI
IKEv2 Debugs:
Debug crypto ikev2 protocol 255
Debug crypto ikev2 platform 255
Debug crypto ipsec 255
ISAKMP Captures:
ISAKMP capture can be used in order to determine what is causing tunnel connectivity issues without the need for debugs. The suggested capture syntax is: capture name type isakmp interface FTD-Tunnel-Source match ip host FTD-Public-IP host Umbrella-DC-IP
.