Configure automatic tunnel between Secure Access and Firewall Threat Defense devices using SASE wizard

The SASE wizard simplifies tunnel creation from Firewall Threat Defense devices to Secure Access by automating multiple steps.

Before you begin

Ensure that you review Prerequisites for an automatic tunnel between Secure Access and Firewall Threat Defense devices.

Procedure

Step 1

Choose Secure Connections > Site-to-Site VPN & SD-WAN, and click Add.

Step 2

In the Topology Name field, enter a name for the SASE topology.

Step 3

Click the SASE Topology radio button and click Create.

Step 4

Configure a Secure Access region by choosing a region from the Region drop-down list:

A Secure Access region is a cluster of data centers in a specific geographic area.

Step 5

Click Next.

Step 6

Configure Firewall Threat Defense nodes:

  1. Click Add and configure the parameters in the Add Threat Defense Node dialog box.

  2. From the Device drop-down list, choose a Firewall Threat Defense device.

    Note

    Only Firewall Threat Defense devices managed by Cloud-Delivered Firewall Management Center are displayed in this list. Extranet devices won't appear in the list.

  3. From the VPN Interface drop-down list, choose a WAN-facing or internet-facing physical interface that establishes a VPN connection with Secure Access.

Step 7

Configure Tunnel ID and passphrase.

  1. In the Prefix for tunnel ID field, enter a prefix containing 8 to 30 characters. The prefix can contain alphabets, numbers, period (.), underscore (_), and dash (-).

    Secure Access uses this prefix to generate the complete tunnel ID after the Cloud-Delivered Firewall Management Center deploys the tunnel in Secure Access. The tunnel ID format is <prefix>@<org><hub>.sse.cisco.com.

  2. The passphrase is auto generated. However, you can regenerate or enter a different passphrase. In the Passphrase field, enter a passphrase containing 16 to 64 characters. The passphrase must contain at least one upper-case alphabet, one lower-case alphabet, and one number, and cannot include special characters.

  3. Confirm the passphrase.

  4. Click Next.

Step 8

Configure NAT or routing:

  1. Check the Enable NAT/outbound only check box to enable Network Address Translation (NAT) for correct routing and identification.

    Use this option if the IP address of the subnet behind this tunnel group overlaps with the IP address in your network. When this option is selected, the tunnel group supports only outbound traffic and cannot provide access to private applications hosted at this site.

    Note

    Routing options are unavailable when the network contains overlapping subnets.

  2. Configure one of these options for Routing:

    • Click the Static routing radio button.

      Use the Network IP addresses field to add the IP addresses of networks for this tunnel group. Add all the public and private addresses used internally by your organization.

    • Click the Dynamic routing radio button.

      Use this option to advertise your internal networks over BGP.

      In the AS number field, enter the AS number of the device. This value must match the device's BGP AS number in the routing settings of the device.

  3. Click Next.

Step 9

Check the Deploy to Threat Defense devices check box to trigger deployment of all the configurations besides the Secure Access auto tunnel configurations that are yet to be deployed on the device.

Step 10

Click Finish to save and validate the configurations, and create the SASE topology.

The wizard performs these actions:

  • Saves all Firewall Threat Defense device configurations in Cloud-Delivered Firewall Management Center.

  • Pushes the configurations to Secure Access.

  • Creates virtual tunnel interfaces (VTIs) on the device.

  • Creates a SASE VPN topology.

  • Triggers deployment of all the configurations besides the Secure Access auto tunnel configurations that are yet to be deployed in the device if the Deploy to Threat Defense devices option is enabled.

  • Opens the Configuration of Secure Access Tunnels dialog box, which displays the status of the tunnel deployment in Secure Access.

    Click the Transcript Details (preview icon) button to view transcript details such as the APIs, request payload, and the responses received from Secure Access.

You can view the SASE topology in the Site-to-Site VPN & SD-WAN page (Secure Connections > Site-to-Site VPN & SD-WAN).

What to do next

  1. Create an extended Access Control List (ACL).

    This ACL defines the specific DNS and web traffic intended for routing through the tunnel to Secure Access. For more information, see Configure Extended ACL Objects.

  2. Create a policy-based routing (PBR) policy.

    Use the newly created extended ACL within a policy-based routing policy to direct the defined DNS and web traffic through the tunnel to Secure Access for security inspection. For more information, refer to Configure policy-based routing policy.

  3. When you create multiple SASE topologies for a multi-ISP setup, configure ECMP zones with the VPN interfaces to balance the load of application traffic.

  4. Perform validation. For more information, refer to Validate Secure Access integration with Firewall Threat Defense devices.