Step-by-step: Configure a Cisco ASA (v9.1) to connect to the Cloud

book

Article ID: 171206

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

How do I configure a Cisco ASA device (version 9.1.1) to send IPsec traffic to the Cloud?

How do I configure an ASA to send only one (1) workstation to the Cloud...for testing purposes?

Resolution

 
As of the writing of this knowledge base article (Feb 2013), we are using the most current versions of ASA and ASDM: 
  • Cisco ASA version: 9.1(1)
  • ASDM version: 7.1(1)52

User-added image

 

 

GOTO: Configuration > Site-to-Site VPN > Connection Profiles

 

 

 
Make sure that the following checkbox is ENABLED: 
 
"Enable inbound VPN sessions to bypass interface access lists..."
 
User-added image
 
 
CREATE a Site-to-Site Connection Profile:
 
Click the "Add" button under "Connection Profiles", and the "Add IPsec Site-to-Site Connection Profile" dialog opens.
 
In the "Basic" section...

User-added image
   
(Peer IP Address) Refer to the following KB for the "Peer IP Address" box: 
 
000014776: What are the IP addresses used to connect via IPsec to the Threatpulse Cloud?
 
In this example, we will select the IP address for the Sunnyvale location: 199.19.248.164
 
(Local Network) inside-network
 
(Remote Network) any
 
IKE v1 Settings > Authentication (Pre-shared Key)
 
This value should match the PSK value you've configured in your "Location" in your Customer Portal.
 
IKE v1 Settings > Encryption Algorithms (IKE Policy)
 
NOTE: make sure that the following recommended IKE Policy values have a high (top-level) priority, or manage them as follows...
 
Click the "Manage..." button
 
Recommended IKE Policy values are: 
 
pre-share-aes-256-sha
pre-share-aes-sha
 
User-added image
 
IKE v1 Settings > Encryption Algorithms (IPsec Proposal)
 
Click the "Select..." button
 
User-added image
  
For the IPsec Proposal (Transform Set), the recommended settings are: 
 
Mode->Tunnel
 
ESP Encryption: AES-256
 
ESP Authentication: SHA
 
Remain in the "Add IPsec Site-to-Site Connection Profile" dialog, and click on the "Advanced->Crypto Map Entry" section: 

User-added image
   
Perfect Forward Secrecy: Enable
 
Diffie-Hellman Group: group5
 
NAT-T: Disable
 
Your new "Connection Profile" should look similar to: 

User-added image
 
====================
GOTO: Configuration > Site-to-Site VPN > Advanced > Crypto Maps
 
...and the following Crypto Map will have appeared (if not, click Add to create one): 
 
User-added image
 
Edit this Crypto Map, and on the "Tunnel Policy (Crypto Map) - Basic" tab, the values should have been automatically copied here.  Verify their values: 
 
 
User-added image
 
On the "Traffic Selection" tab, edit the "Service" field to be: tcp/http, tcp/https

User-added image
User-added image
User-added image

Your completed Crypto Map should look like: 

User-added image
 
====================
GOTO: Configuration > Site-to-Site VPN > Advanced > Certificate to Connection Profile Maps > Policy
 
Make sure the "Use the configured rules to match a certificate to a Connection Profile" is DISABLED: 
 
User-added image
 
====================
GOTO: Configuration > Firewall > NAT Rules
 
Create the Firewall NAT Rules.
 
Click Add, and then select Add NAT Rule Before "Network Object" NAT Rules...
 
User-added image
User-added image  
 
Source Interface: inside
 
Destination Interface: outside
 
Source Address: 
 - set to one (1) IP address to send one workstation into the Cloud tunnel (for testing), or
 - set to "any" to send all internal traffic
 
Service: set to "tcp/HTTP" (you might have to create a new Service Object) Note: When creating or using existing service object verify source port is defualt (1-65535) for both http and https.
 
...and now repeat the same steps above (Add a new NAT Rule) for the "tcp/HTTPS" service: 
 
 
User-added image
 
Your completed NAT Rules should look similar to: 

User-added image
 
====================
TEST to see if you are now protected by the Cloud service.
 
Open a browser and go to: http://test.threatpulse.com
 
This will show if your computer is protected by the Cloud (or not), and what Cloud DataPod you are connected to.
 
User-added image
 
====================
GOTO: Monitoring > VPN > VPN Statistics > Sessions
 
In the "Monitoring" section in ASDM, verify that the IPsec Site-to-Site VPN tunnel is established: 
 
User-added image
 

Attachments