Threat Defense VPN Endpoint Options
Navigation Path
Devices > Site To Site. Then click + Site To Site VPN, or edit a listed VPN topology. Click the Endpoint tab.
Fields
- Device
-
Choose an endpoint node for your deployment:
-
A threat defense device managed by this management center
-
A threat defense high availability container managed by this management center
-
An Extranet device, any device (Cisco or third party) not managed by this management center.
-
- Device Name
- For extranet devices only, provide a name for this device. We recommend naming it such that it is identifiable as an unmanaged device.
- Interface
-
If you chose a managed device as your endpoint, choose an interface on that managed device.
For 'Point to Point' deployments, you can also configure an endpoint with dynamic interface. An endpoint with a dynamic interface can pair only with an extranet device and can’t pair with an endpoint, which has a managed device.
You can configure device interfaces at Devices > Device Management > Add/Edit device > Interfaces.
- IP Address
-
-
If you choose an extranet device, a device not managed by the management center, specify an IP address for the endpoint.
For an extranet device, select Static and specify an IP address or select Dynamic to allow dynamic extranet devices.
-
If you chose a managed device as an endpoint, choose a single IPv4 address or multiple IPv6 addresses from the drop-down list. These IP addresses are already assigned to this interface on the managed device.
-
All endpoints in a topology must have the same IP addressing scheme. IPv4 tunnels can carry IPv6 traffic and vice versa. The Protected Networks define which addressing scheme the tunneled traffic uses.
-
If the managed device is a high-availability container, choose from a list of interfaces.
-
- This IP is Private
-
Check the check box if the endpoint resides behind a firewall with network address translation (NAT).
NoteUse this option only when the peer is managed by the same management center and don’t use this option if the peer is an extranet device.
- Public IP address
-
If you checked the This IP is Private check box, specify a public IP address for the firewall. If the endpoint is a responder, specify this value.
- Connection Type
-
Specify the allowed negotiation as bidirectional, answer-only, or originate-only. Supported combinations for the connection type are:
Connection Type Supported Combinations Remote Node
Central Node
Originate-Only
Answer-Only
Bi-Directional
Answer-Only
Bi-Directional
Bi-Directional
- Certificate Map
-
Choose a preconfigured certificate map object, or click Add (
) to add a certificate map object. The certificate map defines what information is necessary in the received client certificate to be valid for VPN connectivity. See Certificate Map Objects for details. - Protected Networks
-
Caution
Hub and Spoke topology—To avoid traffic drop for a dynamic crypto map, ensure that you don’t select the protected network any for both the endpoints.
If the protected network is configured as any, on both the endpoints, the crypto ACL that works upon the tunnel is not generated.
Defines the networks that are protected by this VPN endpoint. Select the networks by selecting the list of Subnet/IP Address that define the networks that are protected by this endpoint. Click Add (
) to select from available Network Objects or add new Network Objects. See Creating Network Objects. Access control lists are generated from the choices made here. -
Subnet/IP Address (Network)—VPN endpoints can’t have the same IP address and protected networks in a VPN endpoint pair cannot overlap. If protected networks for an endpoint contain IPv4 or IPv6 entries, the other endpoint's protected network must have at least one entry of the same type (IPv4 or IPv6). If it doesn’t, the other endpoint's IP address must be of the same type and not overlap with the entries in the protected network. (Use /32 CIDR address blocks for IPv4 and /128 CIDR address blocks for IPv6.) If both of these checks fail, the endpoint pair is invalid.
NoteBy default, Reverse Route Injection is enabled is enabled in management center.
Subnet/IP Address (Network) remains the default selection.
When you’ve selected Protected Networks as Any and observe default route traffic being dropped, disable the Reverse Route Injection. Choose VPN> Site to Site > edit a VPN > IPsec > Enable Reverse Route Injection. Deploy the configuration changes to remove set reverse-route (Reverse Route Injection) from the crypto map configuration and remove the VPN-advertised reverse route that causes the reverse tunnel traffic to be dropped.
-
Access List (Extended)—An extended access list provides the capability to control the type of traffic that will be accepted by this endpoint, like GRE or OSPF traffic. Traffic may be restricted either by address or port. Click Add (
) to add access control list objects. NoteAccess Control List is supported only in the point to point topology.
-
- Exempt VPN traffic from network address translation
-
Check this check box to exempt the VPN traffic from the Network Address Translation (NAT) rules.
If you do not exempt the VPN traffic from the NAT rules, the traffic gets dropped or is not routed through the VPN tunnel to the remote device. After you enable this option, you can view the NAT exemptions for the device in the NAT policy page (Device > NAT > NAT Exemptions).
- Inside interfaces directly connected to the internal network
-
Specify the security zone or interface group for the inside interface(s) where the protected networks reside. By default, the inside interface is any.
Click + to configure one or more interfaces from a security zone or an interface group that can map to one or more inside interfaces. Ensure that the interface type of the security zone or an interface group is Routed.
- Advanced Settings
- Enable Dynamic Reverse Route Injection—Reverse Route Injection (RRI) enables routes to be automatically inserted into the routing process, for the networks and hosts protected by a remote tunnel endpoint. Dynamic RRI routes are created only upon the successful establishment of IPsec security associations (SA’s).Note
-
Dynamic RRI is supported only on IKEv2, and not supported on IKEv1 or IKEv1 + IKEv2.
-
Dynamic RRI isn’t supported on originate-only peer, Full Mesh topology, and Extranet peer.
-
In Point-to-Point, only one peer can have dynamic RRI enabled.
-
Between Hub and Spoke, only one of the endpoints can have dynamic RRI enabled.
-
Dynamic RRI cannot be combined with a dynamic crypto map.
-