Configure an automatic tunnel between Secure Access and Firewall Threat Defense devices using SASE wizard

This wizard simplifies tunnel creation from Firewall Threat Defense devices to Secure Access by automating multiple steps.

Before you begin

Ensure that you review Prerequisites for setting up an automatic tunnel between Secure Access and Firewall Threat Defense devices.

Procedure

Step 1

Choose Secure Connections > Site-to-Site VPN & SD-WAN, and click Add.

Step 2

In the Topology Name field, enter a name for the SASE topology.

Step 3

Click the SASE Topology radio button and click Create.

Step 4

Configure a Secure Access region. From the Region drop-down list, choose a Secure Access region.

A Secure Access region is a cluster of data centers in a specific geographic area.

Step 5

Click Next.

Step 6

Configure Firewall Threat Defense nodes.

  1. Click Add. Configure the parameters in the Add Threat Defense Node dialog box.

  2. From the Device drop-down list, choose a Firewall Threat Defense device.

    Only Firewall Threat Defense devices managed by the Firewall Management Center appear in this list. Extranet devices won't appear in the list.

  3. From the VPN Interface drop-down list, choose a WAN-facing or internet-facing physical interface that establishes a VPN connection with Secure Access.

Step 7

Configure Tunnel ID and passphrase.

  1. In the Prefix for tunnel ID field, enter the prefix containing 8 to 30 characters. The prefix can contain alphabets, numbers, period (.), underscore (_), and dash (-).

    Secure Access uses this prefix to generate the complete tunnel ID after the Firewall Management Center deploys the tunnel on Secure Access. The tunnel ID format is <prefix>@<org><hub>.sse.cisco.com.

  2. In the Passphrase field, enter the passphrase containing 16 to 64 characters. The passphrase must contain at least one upper-case alphabet, one lower-case alphabet, and one number, and cannot include special characters..

    The passphrase is auto generated. However, you can regenerate or enter a different passphrase.

  3. Confirm the passphrase.

  4. Click Next.

Step 8

Configure NAT or routing.

  1. Check the Enable NAT/outbound only check box to enable Network Address Translation (NAT) for correct routing and identification.

    Use this option if the IP address of the subnet behind this tunnel group overlaps with the IP address in your network. When this option is selected, the tunnel group supports outbound traffic only and cannot provide access to private applications hosted at this site.

    Note

    Routing options are unavailable when the network contains overlapping subnets.

  2. Configure one of these options for Routing:

    • Click the Static routing radio button.

      Use the Network IP addresses field to add IP addresses of networks for this tunnel group. Add all public and private addresses used internally by your organization.

    • Click the Dynamic routing radio button.

      Use this option to advertise your internal networks over BGP.

      In the AS number field, enter the AS number of the device. This value must match the device BGP AS number in the routing settings of the device.

  3. Click Next.

Step 9

Check the Deploy to Threat Defense devices check box to trigger deployment of all configurations besides the Secure Access auto tunnel configurations that are yet to be deployed on the device.

Step 10

Click Finish to save and validate the configurations, and create the SASE topology.

This wizard now performs these actions:

  • Saves all Firewall Threat Defense device configurations in Firewall Management Center.

  • Pushes the configuration to Secure Access.

  • Creates virtual tunnel interfaces (VTIs) on the device.

  • Creates a SASE VPN topology.

  • Triggers deployment of all configurations besides the Secure Access auto tunnel configurations that are yet to be deployed on the device if the Deploy to Threat Defense devices option is enabled.

  • Opens the Configuration of Secure Access Tunnels dialog box which displays the status of the tunnel deployment on Secure Access.

    Click the Transcript Details (preview icon) button to view the transcript details such as the APIs, request payload, and the response received from Secure Access.

You can view the SASE topology in the Site-to-Site VPN & SD-WAN page (Secure Connections > Site-to-Site VPN & SD-WAN).

What to do next

  1. Create an extended Access Control List (ACL).

    This ACL defines the specific DNS and web traffic intended for routing through the tunnel to Secure Access. For more information, see Configure Extended ACL Objects.

  2. Create a policy-based routing (PBR) policy.

    Use the above extended ACL within a policy-based routing policy to direct the defined DNS and web traffic through the tunnel to Secure Access for security inspection. For more information, see Configure policy-based routing policy.

  3. When you create multiple SASE topologies for a multi-ISP setup, configure ECMP zones with the VPN interfaces to load balance application traffic.

  4. Validate Secure Access integration with Firewall Threat Defense devices.