Step-by-step: Configure a Cisco ASA (v9.1) to connect to the Cloud
search cancel

Step-by-step: Configure a Cisco ASA (v9.1) to connect to the Cloud


Article ID: 171206


Updated On:


Cloud Secure Web Gateway - Cloud SWG


How do I configure a Cisco ASA device (version 9.1.1) to send IPsec traffic to the Cloud?

How do I configure an ASA to send only one (1) workstation to the Cloud...for testing purposes?


As of the writing of this knowledge base article (Feb 2013), we are using the most current versions of ASA and ASDM: 
  • Cisco ASA version: 9.1(1)
  • ASDM version: 7.1(1)52

User-added image



GOTO: Configuration > Site-to-Site VPN > Connection Profiles



Make sure that the following checkbox is ENABLED: 
"Enable inbound VPN sessions to bypass interface access lists..."
User-added image
CREATE a Site-to-Site Connection Profile:
Click the "Add" button under "Connection Profiles", and the "Add IPsec Site-to-Site Connection Profile" dialog opens.
In the "Basic" section...

User-added image
(Peer IP Address) Refer to the following KB for the "Peer IP Address" box: 
000014776: What are the IP addresses used to connect via IPsec to the Threatpulse Cloud?
In this example, we will select the IP address for the Sunnyvale location:
(Local Network) inside-network
(Remote Network) any
IKE v1 Settings > Authentication (Pre-shared Key)
This value should match the PSK value you've configured in your "Location" in your Customer Portal.
IKE v1 Settings > Encryption Algorithms (IKE Policy)
NOTE: make sure that the following recommended IKE Policy values have a high (top-level) priority, or manage them as follows...
Click the "Manage..." button
Recommended IKE Policy values are: 
User-added image
IKE v1 Settings > Encryption Algorithms (IPsec Proposal)
Click the "Select..." button
User-added image
For the IPsec Proposal (Transform Set), the recommended settings are: 
ESP Encryption: AES-256
ESP Authentication: SHA
Remain in the "Add IPsec Site-to-Site Connection Profile" dialog, and click on the "Advanced->Crypto Map Entry" section: 

User-added image
Perfect Forward Secrecy: Enable
Diffie-Hellman Group: group5
NAT-T: Disable
Your new "Connection Profile" should look similar to: 

User-added image
GOTO: Configuration > Site-to-Site VPN > Advanced > Crypto Maps
...and the following Crypto Map will have appeared (if not, click Add to create one): 
User-added image
Edit this Crypto Map, and on the "Tunnel Policy (Crypto Map) - Basic" tab, the values should have been automatically copied here.  Verify their values: 
User-added image
On the "Traffic Selection" tab, edit the "Service" field to be: tcp/http, tcp/https

User-added image
User-added image
User-added image

Your completed Crypto Map should look like: 

User-added image
GOTO: Configuration > Site-to-Site VPN > Advanced > Certificate to Connection Profile Maps > Policy
Make sure the "Use the configured rules to match a certificate to a Connection Profile" is DISABLED: 
User-added image
GOTO: Configuration > Firewall > NAT Rules
Create the Firewall NAT Rules.
Click Add, and then select Add NAT Rule Before "Network Object" NAT Rules...
User-added image
User-added image  
Source Interface: inside
Destination Interface: outside
Source Address: 
 - set to one (1) IP address to send one workstation into the Cloud tunnel (for testing), or
 - set to "any" to send all internal traffic
Service: set to "tcp/HTTP" (you might have to create a new Service Object) Note: When creating or using existing service object verify source port is defualt (1-65535) for both http and https.
...and now repeat the same steps above (Add a new NAT Rule) for the "tcp/HTTPS" service: 
User-added image
Your completed NAT Rules should look similar to: 

User-added image
TEST to see if you are now protected by the Cloud service.
Open a browser and go to:
This will show if your computer is protected by the Cloud (or not), and what Cloud DataPod you are connected to.
User-added image
GOTO: Monitoring > VPN > VPN Statistics > Sessions
In the "Monitoring" section in ASDM, verify that the IPsec Site-to-Site VPN tunnel is established: 
User-added image