Cisco Firepower- Site to Site VPN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey folks welcome back this is joel and uh we will continue with our discussion on uh firepower uh and in this video we'll talk about uh side to side vpns right now uh i think the last video in this series was on policies if i'm not wrong and we did a little bit of uh fun stuff around access policies um i really did not find some time to record much around you know malware and intrusion and file policies but uh you know probably if i get sometime in future maybe i'll do a couple of videos there uh but uh yeah i've been playing around with the vpn so let's get get around and uh do some side to side vpn in this video right so what we'll be doing is we'll be doing the vpn between the branch ftd right and my ha1 which is here right between these both guys right so that's what we'll be getting into now uh just to give you a recap right our branch of td is managed by fdm right the on box fdm whereas uh our campus or the headquarters ftd is managed by fmc so you'll basically get to see both the flare flavors in this particular configuration right on one side we'll be doing it using fdm on the other side we'll be doing using fmc all right so let's jump on to my fdm i guess so let's see so this one looks good let me also get my fmc meanwhile up right so all right so this is my fdm um and you can roll back to the probably first or second video in the whole series where i kind of give you a glimpse of how you can do your basic configuration using fdm now we'll be doing the side to side vpn right so for side to side vpn you got to come down and you see there is an option here we have configuration got to click on that right now there is no vpn so you see this let's click on the first vpn right let's create the first one now we'll have to give a name what name do we give right uh again i'm not gonna explain what vpn is and how the whole phase one phase two and ik v1 v2 works because all of that i've covered extensively in my older vpn videos we have also covered vpn a bit in asa as well you can go back and check my channel right uh uh but that being said let's concentrate on the side to side vpn and this one so it's gonna be from where vpn uh to the headquarters right let's uh let's give that as the name because right now i'm on my branch device right so that's going to be the name the name can be anything it's just a profile name like locally significant what is the uh interface where we will uh you know what will be the terminating point or you know where this vpn is going to terminate and that's going to be our outside interface right this is the one let me show you the diagram so the outside interface which is gigabit zero slash zero right so in this uh gigabit zero slicer is the outside one and zero slash one is the inside interface of that ftd cool so that's done outside and what will be the local network local network uh you know basically we are basically trying to tell what traffic has to be encrypted and sent over the vpn right what traffic has to be tunneled through so for that you have to define in our case if you look at my diagram what is the network it is 192 168 45.0 and i don't see that network so we'll probably have to create a new object here right so let's call this as branch land probably make sense the network is 192.168.45 i believe is it 45 let's quickly check uh here 19168 45.0 yup that's true so uh 45.0 slash 24 is the subnet i think we are good so let's say okay over there right uh and uh yeah so we can go and select that guy over here i'm gonna say okay uh and what is a remote ip address right the remote ip address is basically where the tunnel is going to terminate and that's going to be this one ethernet 0 2 0 right basically sorry this is actually uh the switch but actually it's going to be gigabit 0 0 of my ftd over here and that's nothing but 192.0.2.1 right so so that's basically what um so i mean don't uh think about these ip addresses mentioned over here on the switch i mean the switch is just a l2 device these ipads are actually on the um you know on your firepower right the gigabit zero slash zero is this dot one the zero slash one is nothing but uh i believe i think it's dot 254 and some so basically yeah i've just mentioned it over here but they actually mean that you know those ips are here on the ftd anyway so let's get back so let's get back and let's mention the terminating point i think this is the one right so it's going to be 192.0.2.1 so that's where we are going to terminate this is the ftd ha one ftd sweet now what is the remote networks where we want the vpn to work on you know the networks to uh kind of like uh where we want the traffic to be encrypted right so we have mentioned the local network what is the remote network so remote network let's maybe put the dmz on the server network right so let's do that so we'll have to again create the same thing we don't have the network objects we'll have to create it right let's create the first one let's call this as hq dash uh hq dash dmz right and the network is gonna be 192.168.10 slash uh dot zero i believe right network slash 24 that looks good meanwhile let's also create one more for the servers right which i showed there so this is the headquarters but this is sorry headquarters and servers and what is the network 192 168 20.0 uh it's 20 or 2.0 let me just double check that yeah it's 20.0 right so 20.00 24 makes sense all right i'm gonna say okay over there okay so now we'll select both these guys and we're gonna say okay here so we've got the um we've got both the dmz and the servers put up there so i think we are good so we can say next you see this brightens up here so we have configured the green part we have configured this green part now we need to put in some attributes of the vpn itself right when i say attributes we have to tell do we want to use ik v1 or v2 let's use v2 now even in v2 you need to mention the phase one phase two uh ipsec proposal and basically the uh uh the various encryption which you're gonna use the hashing algorithm and all of that right so that's important so let's start with the first one the policy right like policy for that let's use the default one right the uh we'll have to remember this because we'll have to do the same thing on the other side as well uh we are using the sha uh dash over here so let's say it's good encryption is done uh we'll have to also do the same thing on ipsec proposal right now there is nothing so let's click on this and probably use the default set which is again dash right for phase 2 as well you have to select that guy i guess okay okay we click on that and we will say okay so that looks good so we've selected the desktop uh we're gonna select okay here right both of these guys are done so we've selected uh are we good here so looks good so right we have selected the okay we'll have to next go with the psk or certificate remember again you know when you're doing vpn you know the authentication part you can either go for pre-shared key or you can go for a ca authority and let the rsa you know take care of it right basically public key private key let's go with the psk in this one it's simple but you know if you want a scalable solution always go for a certificate authority in our case let's put in some psk something simple like cisco okay give me cisco123 i think that should work let's try again here as well all right that's done so once that is done the advanced option the nat exempt uh i don't think we've got anything nothing here so we are good here so let's select next sweet so that looks good and we'll have to review here right whatever we configured till now everything will appear here and uh looks good for now just remember this one the desks uh because we'll have to do the same thing on the other one as well right so we'll say finish and now the policy is getting cooked in the background all right so there you go the policy is done and we have created the policy but are we ready to deploy already uh probably not why because we have to also create i mean we have created sorry the site to sign vpn but we haven't created a policy why do we need policy because we need to tell the firewall to allow the traffic to flow through right from for this particular vpn so right now there is no policy rules and by default you see everything is blocked so we'll have to create a new access rule and we could give any name let's go with something like vpn traffic right uh vpn traffic to headquarters makes sense and the default i mean the action is going to be allowed you have to select the networks here let's select our branch lan right and uh on the remote uh networks right we'll have to select the two networks where we want the vpn to work one is your dmc and the other one is your servers so select both of them and uh yeah i think that's good i've not tried this what is the show diagram ah this is pretty cool right it's very empty to you over here you're getting all the information anyway so that's good so let's go on now uh click on ok here and now once this is done we can go and click deploy right because we are good with everything so now we can click the deploy here right so this is all it's going to push right you can have a look at the configs as well um so it's going to push some bunch of vpn related stuff here which is fine let's say deploy now and we'll say okay right so we let it do its job meanwhile let's go to the ftd because we got to do the vpn configuration on the other side as well so let's select that i think in the topology i've just turned on ftd one i've not turned on ftd2 because we'll not be using it in this one right so we are good to go and go to this guy right so let's wait for the login to finish meanwhile this is happening let's see is it still yeah the deployment is in progress cool so this is where we are right now let's go to our devices just to show you what do we have i've broken the ha right which had configured uh in the i think probably third or fourth video in the series i'm no longer using the h i have broken it uh i've turned off the ftd2 and i just have ftd 1 running right now seems to me there are a couple of errors okay cpu usage that's fine uh application heartbeat is not sending all right that should be good cool not an issue anyway so let's go with the side to side vpn so we go down to devices and there should be vpn yeah there you go and we'll click on site to site here right so here as you as we have done till now we are not going to use firepower because that's for your classic devices or your firepower 9000 devices right you're going to use ftd firepower threat defense device right so here this is how you gotta configure here right so start with the topology name and we'll say vpn to branch maybe right the name doesn't matter you can give any name uh you have multiple options you can go for full mesh you can do hub and spoke like your dmvpn kind of a setup we'll go for something simple which is point to point right we don't want a multi-point if you want multi-point then you'll have to go for having spoke or a full mesh as well uh so yeah we'll go with ik v2 because that's what we have done on the other side and here we'll have to select the node a right because that's that's uh that's where the vpn is originating that is for ftd 1 or ha1 right so let's click on that here you can select we'll select ha1 here because that's the device and the interface obviously the interface where i want the f vpn to originate or terminate is ethernet i mean basically gigabit zero right the outside interface so we will go with that guy uh bidirectional is fine and you'll have to create the subnets here now again here probably we might not have so we'll have to create this again so let's create the two networks which are headquarters dmz right so sorry where did i type that my bad let's do that again headquarters dmz is good and we would need uh the network in this case to be selected over there uh what network is it uh i believe let's go back to my diagram 190 to 168 10.0 92 168 10.0 24. all right looks good we'll say save while we are here let's create one more as well which is your headquarters for servers sweet and network 192.168.20.0.24 right save that guy as well okay now we'll have to select both the guy is added say okay over here right so we've selected the network i think all of that is done uh we are good so we're gonna say okay there you go right the first node is already selected and done let's do the second node now what is my second node obviously my ftd branch so uh but then you see there is no ftd branch you'll have to select extranet right because this is a unmanaged device or basically at least it's a device not managed by my fmc so it comes under extranet right and here you can give some name you can say ftd branch right because that's the device with which you wanna create this is your vpn pair right so yeah you'll have to give the static ip which is 198 something let's see it's 198 51.101.1 okay this is 50 and 88 198.51.100.1 sweet looks good and obviously just like how we did earlier we'll have to provide the remote subnet here which is the branch lan i don't think it is there we'll have to create it so we'll create branch lan right and the network which is uh i think 192.168.45.0 24. right just to double check uh 45.00 yes that's correct sweet so that looks good so we are good to go and save this one let's select this guy add it here say okay right this looks good extra net uh ftd branch the ip looks good all of this is good so let's say okay here right are we ready to hit the save i think we are or maybe we can go and do something else let's finish up the rest of the stuff as well so on the ike part right here we'll have to select the i parameters right we are using i2 yes but then along with that we'll have to change the height policy what did we use then i think we use the dash sha right the pre shared manual key i believe we have used the manual key here so let's use the same key cisco one two three right there you go that's good and one more thing would be to finish the ipsec part so what do we do in the ipsec part in the ipsec part you will have to put the proposal right so here you go we've got uh i mean the default itself is using desktop one right if you want to change you can change but looks like by default already we are using the desktop one which is exactly what we want but you are free to create your own proposals or use any of the default ones as well right so that is already selected for us so i'm happy with that um and i don't have to do any other changes here so let's keep it as is what about advanced yeah we are going to retain all of this so we're going to save this one right so that looks good so can we go and deploy it now i think we can we have saved it so i think it's time to go and deploy it this is the last part of the configuration right because there is nothing else we have done the so we'll deploy it on h a one obviously let's deploy deploy yeah so we have done the configuration now on both my branch uh as well as on this one so it's telling something is depreciated warning to are considered insecure and please remove the depreciate go that's fine i mean now it's basically telling uh might be insecure it's just a warning so i think we should be good right so there are no pending changes on this side looks like here also it's completed right so while this is happening let's quickly jump on to the ftd branch one and see some configurations because here the deployment has completed so we should have some conflicts pushed in right so show running i think we'll have to do crypto and ike like v2 okay there we go sorry i qui two okay there you go so now there you go this is the configuration which we just now post right uh you can see the ike policy the key in encryption the hashing and the key all of that has been pushed so that's good we can also probably check show running config crypto my bad okay so crypto probably ipsec i guess yeah there you go so that looks good as well right so we've got this is the phase two part which has gone in and we can also do show running config and crypto map right that's like one of the most common thing right crypto map under the interfaces so let's do that and yeah there you go see you can see the pier 192 0.2.1 so that looks good so yeah looks good for me so that's good let's go and check what's happening on the other side looks like uh okay so it's still in progress meanwhile let's uh probably uh grab our so i've already so this is the pc which we'll use to test so this is the branch pc right using which will be testing our vpn so yeah we'll do that all right so we can quickly test it uh there's one small issue i ran into but i'll explain that to you once we uh once i show you the uh encryption happening right so let's do that so let's go to this branch device and on this from this branch device right let's ping the server which is here right 192.168.20. let's see i think it's 20.22 probably i'm not sure let's check that it's probably yeah it's uh 19168 20.22 so we got to ping that one i've also enabled a wire capture here where over here right on this uh outside interface so that we can see the packets getting encrypted so we should be able to see that as well right so let's get to the bottom over here yeah there we go so right now you can see there's some iso cam going in because i pinged earlier so that's why but anyway so let's try to test it now so let's do thing 192 168 20.24 wait i forgot again was it 24 or 22 22 sorry so let's say 22 right see the ping is working at the same time if you see the packets here you can see the esp packet and you can see the encapsulation esp basically is nothing but your you know it basically means that it's encrypting your packet right so that is mainly what i wanted to show maybe we can also check uh that there should be some iso camp you know packets getting exchanged as well right i don't know if i can directly search here iso cam probably right yeah there you go right so you see i secum packets uh running between my uh 192.02.1 which is my ftdha1 and 198.51.101 which is my branch of td right and you can see the isocam packets here and your ipsec you probably that probably won't work but that's fine uh we so we just now saw here at the bottom right we or maybe we can run one more thing if you want to see the esp packets again right we could do that see the ping is going in and you should see the esp packets here right so the esp packets basically are nothing but your encrypted packets right so right now though we are doing a ping you see you don't see anything because all the packets are getting encrypted and it's being sent sweet so that's from this side now let me also show you some show commands to help you with the trouble shooting this let me just grab this guy and push it on the other side and let's run some show commands shall we so if you run something like show crypto ips uh ikv to sa right the security association right you are getting to see the um ik or the phase one kind of uh uh the security association over here right um you see that the originator the tunnel both the tunnel ips are shown here the tunnel source and destination uh you can also see show crypto uh show or maybe let's do i think there's a command called show vpn uh these are all troubleshooting commands that you can use this so vpn detail i think l2l yeah so this will also give you information about you know the ipsec information right the local address the remote address the tunnel how long it has been and when is the next re-key going to happen you can see the packets the transmitted and the received packets as well um and maybe for phase 2 you can do show crypto ipsec sa right and that will give you another load of information as well right so these are your troubleshooting commands so we basically verified that the you know vpn is working now one thing let me just call out here is that uh when i tried it for the first time it did not work because i had made a small blender or at least in the new release right whichever release we are running the 6.6 i think what they have done is let me show you let's go to the edit option here and let's go to the next right so here um on your face one right on the face one side make sure uh so the default one was not working because the default one seems to have some diffie-hellman groups which are depreciated so i had to create a new one right so i had to create a new uh destiny so what what this destiny was having is i don't know can i show you yeah see this is what the desk the new uh i policy which i had to create i had to basically remove those depreciated difficult groups right so i i went and removed the depreciated once and and i added these ones right so remember we got those errors when we were deploying it on the ftd2 so those errors basically you shouldn't ignore them make sure that you know you don't use any depreciated difficult groups because if you use them then both of them both the ftds will not form the uh you know ipsec tunnels and the packets will not get uh you know encrypted and basically there won't be connectivity so you have to do the same thing on both the sides i did the same thing here as well right so maybe if i show you the objects here let me just refresh this so on the other side as well for uh phase one uh i went and replaced the default uh you know des uh which was there right so i replaced it but let's go down here on the let's go to the i policy right so this is the new one which i created and if you see this one you will see that i would have used the different group and i did not use 1 2 5 and 24 and i use these other groups right so yeah make sure to do that if if your connectivity is not established sweet so thanks a lot guys that was the whole thing which i wanted to show here now we have successfully achieved side to side vpn between my ftd branch and ftd ha or basically between my branch sites and my my campus site right thanks for watching have a good one

Info

Channel: BitsPlease

Views: 1,153

Rating: undefined out of 5

Keywords: cisco, ftd, fmc, ngfw, vpn

Id: R0pkmvnIByo

Channel Id: undefined

Length: 26min 29sec (1589 seconds)

Published: Thu Dec 03 2020