Site to Site VPN with Firepower Device Manager

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to five pound device nature's site to site within learning module this video is part of the mini series called Cisco qualified device manager if you haven't already seen it you said please take a look at the introduction episode to get an overview of what is fire powered device manager or fpm fpm is fiscal new web-based simplified device manager to manage the school's integrated next-gen firewall on fire power threats defense software offering in this session we will look at how to configure a site-to-site VPN using cloud device manager OB PN is nothing but a network connection that establishes a secure tunnel between the most peers using a public source such as an internet or some other network VPNs use tunnels to encapsulate data packets within the normal I P packets for forwarding over IP based networks they use encryption to ensure privacy and authentication to ensure the integrity of the data you can create VPN connections to peer devices all connections are point-to-point but you can link the device into a larger hub-and-spoke or mass VPN topology by configuring all the relevant connections in six-month which are power device manager we support only flechette peace however the support for PKI certificate coming soon we use IPSec protocols that protects the data now FTD or cyber threats defense can create a secure VPN tunnel between two SPD's between an STD and an enemy si or between an STD and any third party firewall let's look at a little bit more on what is this IPSec technology internet key exchange or what we call Ike is the key management protocol that is used to authenticate the IPSec Speers negotiate and distribute IPSec encryption keys and automatically establish a basic security associations or what we call the SH this ice negotiation comprises of two phases phase one negotiates a security association between two Ike spirits which enables appears to communicate securely in Phase two a nice proposal is basically a set of algorithms as to peers used to secure the negotiation between them I stay ago she ation begins by each period agreeing on a common shared i policy this policy basically states with security parameters are used to protect subsequent fight negotiations now during phase two of this negotiation or what we call the quick mode Ike establishes the a safe for other applications such as IPSec both phases use proposals when they negotiate or connection ice policy objects define the I proposals for these negotiations the objects that should enable are the ones used when the pair is negotiate Orion connection you cannot specify different ice policies per connection ice policies are basically global it basically means any enabled ice policies are available to all we pn connections IPSec proposals the IPSec proposals that we talked about defines a combination of security protocols and algorithms that set your traffic in an IPSec tunnel there are separate IP set proposal objects based on the ice version I three one were I created when you create an IKE we won IP set for puzzle you select the mode in which the IPSec operates and define the required encryption and authentication types you select single options for the algorithm if you want to support multiple combinations in a VPN you can create and select multiple IP 1 IP set proposals on their objects when you create an IV - IPSec proposal you can select all the encryption and hash algorithms allowed in a VPN the system orders the settings from the most secure to the least secure and negotiates with the peer until a match is found this allows you to potentially send a single proposal to convey all the allowed combinations instead of the need to send each allowed combination individually as in with the ike 1v1 now a maximum of 11 ip68 portals can be associated to one connection profile and that could be 11 i 3 1 and 11 i switches by default the FEV creates a bunch of I to e 1 and V 2 the portals ready to be used in a connection profile but in addition is you would want some more proposals you can create as many as you want from the objects page here is the typical conflict list of configuration errors that you might hit into if you're leaving internet is not coming up some of them namely being Eisley one with only enabled on one side why I could be too is enables a little more time I see one is enabled on both sides but appreciate he is different on the local where system outside when I me one is enabled on both sides either the local and order the most pre shared key are incorrect incompatibility between I see one we two policies incompatibility between I see one way to IPSec proposals that are associated with the connection profile the perfect forward secrecy is enabled on one side and not on the other the incorrectly mode IP address so the most pairs cannot be reached through the interface selected the access policies provide a strictly traffic between the endpoints then a policies are configured to translate the local remote networks and that exempt is not configured there's an incorrect local or the mode Network country with various reasons that could cause a configuration error here is a demo topology that we're going to use today to configure site-to-site VPN notice on one side on the local network I have an FTP of about 10 different and the remote side I have an ESA and we're going to create a VPN tunnel between the FTD and the AirTrain now in the evaluation laws one thing to note is only best encryption is available for both policies and proposals however in a fully licensed mode Pachanga encryptions will be available in my scenario I am using a fully licensed now also based on the country some encryption may not be available depending on what to stick in your licensing let's note the demo steps that will be following first over walk through a site-to-site VPN which is available within a high-powered device manager to set up the connection profile will define the endpoint the privacy configuration and if you have next XM or you want to select the free helment algorithm for perfect service accuracy you can do that for the purpose of this demo I do not need to do this then walking through the wizard will note the summary this will bring up the tunnel between the FPV in the AFA we're going to test the reachability towards the most branch office by stringing the address on the remote host user list of CLI show commands that you can want to check the VPN tunnel when we'll run a few of them in the demo as well with that let's jump into the demo so there is a fire power device manager device dashboard and notice I have three interfaces here one inside one outside and one going to the Internet notice our routing kiss is mainly static I have one groused which is a default in one going to the outside towards the pier at gateway to the branch network now let's click on our site to site with the end card here which launches this device summary when you click on add it actually walks you through a site-to-site VPN wizard the step one here is to define your endpoint which means to identify the interface on this device which would be your local VPN access interface you can select it from the drop down here based on the objects that you've created along with that you want to specify your remote IP address or the amount pure interface IP address and then define what your local network would be again picking from the drop down here which is defined as objects and Georgia mode Network so you're basically identifying your local and remote network that can use the connection Traxxas between these networks is protected using this privacy configuration which is the step to your if you want to select the internet key exchange or ice policy and enter the pre shaped piece needed to authenticate the VPN connection then you also want to select the IPSec proposal take a look at the ice policies notice there are some created by default within the STD for both ice policy and the IPSec proposal but if you want to add a new IP a proposal or a nice quality and simply click click on the create new and create your own ice cream pie piece a proposal once you've done that you can select it and hit OK you have some additional options here which I have not used for the demo if there is any network that you would like to exempt from that you want to select that now over here and the private forward secrecy algorithms if you want to select that on step three you will the summary of what you just configured for the VPN and hit finish and that's it you have your configuration for site-to-site VPN done on the FTD don't forget to hit deploy to actually deploy this configuration on to the STD device now while is deploying is quickly go and look at our configuration here on the a si I have the IPSec configured on the AC side which you can take a look at as well as the IP to configuration to make sure that it matches and you can also look at your air phase and other IPSec configurations like we want me to this make sure that I know F is configured yet similarly once is deployed you will see the similar type of configuration on your ft d so here is my FTD and of running the exactly same commands that I'm used to on the a essay on the FTD and notice the configuration that was pushed by the fire power device manager on to the device similarly we can also check for their essays on the FTD once that's done let's run a quick check with ping test so let me ping branch which is my remote network or remote host from my inside host I see the pings going through on the a si you see I'm seeing ICMP echo response requests and responses coming back from the remote host which is the 170 216 255 dot 20 and let's go ahead and check the essays being created on the STD notice we see the receiving created here you can also check other statuses and let's do the same thing on the a si to make sure we are looking at the correct connection when the same commands as you're used to the same show commands on both left ad and the a sa verify that the VPN connection is actually active and that's it thank you for joining me today on this demo for high powered device manager configuring site-to-site VPN and don't forget to be on the lookout for more videos to learn more about v power device manager thank you again [Music]
Info
Channel: Managing Cisco Advanced Security
Views: 8,798
Rating: undefined out of 5
Keywords: fdm
Id: dEq80M6E3Og
Channel Id: undefined
Length: 15min 37sec (937 seconds)
Published: Wed Mar 22 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.