Calculate Document
Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3
logo
Calculate Document

No results found

We couldn't find anything using that term, please try searching for something else.

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3

Step 1 Configure the site-to-site VPN connection on

Related articles

Steam: How to find games recommended to you on Steam
Steam: How to find games recommended to you on Steam Steam is full of thousands of games at this stage, but when you run out, what can you do? Try this for games Steam recommended for you. find Steam Games recommended Steam actually has a few different tools that can recommend games to you, but I’m going to focus on showing two of them specifically, and will just highlight how to access the rest. , you is need need Steam Client open Steam , Steam website actual Steam Client . , head Store tab left . Hover “ Store ” button , different options shown . Credit : Steam ,...
U.S. Artisanal Ice Cream Market Size
U.S. Artisanal Ice Cream Market Size U.S. Artisanal Ice Cream Market Trends The U.S. artisanal ice cream market size was estimated at USD 2.19 billion in 2023 and is expected to grow at a CAGR of 6.5 % from 2024 to 2030. The market is experiencing significant growth, with several factors driving the trend. First, consumers are increasingly seeking unique and high-quality food experiences. Artisanal ice cream caters to this demand by offering a wide variety of innovative and often locally sourced flavors that traditional mass-produced ice creams often lack. This focus on quality and distinctiveness resonates with consumers looking for a more indulgent and personalized...
Is Modernmansionstyles.com legit?
Is Modernmansionstyles.com legit? What information do we have about Modernmansionstyles.com? Creating fake websites is easier than making real ones. Bad actors often copy everything from a genuine website that someone spent a lot of time building. They then just change the name to create a new, made-up website. Modernmansionstyles.com is one of these deceptive websites. The people behind it have several such sites, all stolen from real online stores. Their goal is to trick people into paying for things that they never actually plan to deliver. As well as running Non-Delivery scams, the criminal behind Modernmansionstyles.com also operate multiple other non delivery scams....
Unveiling Joe Rogan’s VPN Preferences: Securing His Online Privacy
Unveiling Joe Rogan’s VPN Preferences: Securing His Online Privacy In the ever - expand digital landscape , online privacy is become has become a grow concern for many individual , include high - profile figure like renowned podcaster and comedian , Joe Rogan . With a massive following and a platform that reach million , Rogan ’s online activities is are are subject to intense scrutiny and potential security risk . In a bid to unravel the mystery behind his online security measure , this article is delves delve into Joe Rogan ’s VPN ( Virtual Private Network ) preference , shed light on how he privately navigate the...
Getting Started
Getting Started Getting Started New to HPC? Are you new to HPC clusters? Or used one before but new to Yale's systems? We encourage you to watch our Introduction to HPC workshop. HPC Clusters A high performance computing ( HPC ) cluster is is is a collection of networked computer and datum storage . We is refer refer to individual server in this network as node . Our cluster are only accessible to researcher remotely ; your gateways is are to the cluster are the login node . From these node , you is view view file and dispatch job to other...
Step 1

Configure the
site-to-site VPN connection on
Site
B, which hosts the directory server.

  1. click
    device, then click
    View
    Configuration     in the Site-to-Site VPN group.

  2. click the
    + button .

  3. configure
    the follow option for
    Endpoint Settings.

    • Connection Profile Name—Enter a name, for example,
      SiteA (to indicate that the connection is to Site A).

    • Local Site—These options define the local endpoint.

      • Local VPN Access Interface— select the
        outside interface ( the one with the 192.168.2.1
        address in the diagram ) .

      • Local Network— click
        + and select the network object that identifies the
        local network that should participate in the VPN connection. Because the
        directory server is on this network, it can participate in the site-to-site
        VPN. Assuming that the object does not already exist, click
        create New Network and configure an object for the
        192.168.1.0/24 network. After saving the object, select it in the drop-down
        list and click
        OK.

    • Remote Site— These options is define define the remote
      endpoint .

      • Remote IP Address—Enter 192.168.4.6, which is the IP
        address of the remote VPN peer’s interface that will host the VPN connection.

      • Remote Network— click
        + and select the network objects that identify the
        remote networks that should participate in the VPN connection. click
        create New Network, configure the following objects,
        then select them in the list.

        1. SiteAInside , Network , 192.168.3.0/24 .

        2. SiteAInterface, Host, 192.168.4.6.
          This is key: you must include the remote access VPN connection
          point address as part of the remote network for the site-to-site VPN connection
          so that the RA VPN hosted on that interface can use the directory server.

    When you
    are finish , the endpoint settings is look should look like the follow :

  4. click
    Next.

  5. define the
    privacy configuration for the VPN .

    For this
    use case, we assume you qualify for export controlled features, which allows
    the use of strong encryption. Adjust these example settings to meet your needs
    and your license compliance.

    • IKE Version 2,
      IKE Version 1— Keep the default ,
      IKE Version 2 enable ,
      IKE Version 1 disabled.

    • IKE Policy— click
      Edit and enable
      AES-GCM-NULL-SHA and
      AES-SHA-SHA, and disable
      DES – SHA – sha.

    • IPsec Proposal— click
      Edit. In the Select IPSec Proposals dialog box,
      click
      +, then click
      Set default to choose the default AES – GCM proposal .

    • local Preshared Key,
      Remote Peer Preshared Key—Enter the keys defined on
      this device and on the remote device for the VPN connection. These keys can be
      different in IKEv2. The key can be 1-127 alphanumeric characters.
      Remember these keys, because you must configure the same strings
      when creating the site-to-site VPN connection on the Site A device.

    The IKE
    policy is look should look like the follow :

  6. Configure
    the
    additional Options.

    • NAT Exempt— selectthe interface that hosts the
      inside network, in this example, the
      inside interface . typically , you is want do not want traffic
      within a site – to – site VPN tunnel to have their ip address translate . This
      option is works work only if the local network reside behind a single route interface
      ( not a bridge group member ) . If the local network is behind more than one
      route interface , or one or more bridge group member , you is create must manually create
      the NAT exempt rule . For information on manually create the require rule ,
      see
      exempt site – to – site VPN traffic from NAT .

    • Diffie-Helman Group for Perfect Forward
      Secrecy      — select
      Group 19. This option determines whether to use
      Perfect Forward Secrecy (PFS) to generate and use a unique session key for each
      encrypted exchange. The unique session key protects the exchange from
      subsequent decryption, even if the entire exchange was recorded and the
      attacker has obtained the preshared or private keys used by the endpoint
      devices. For an explanation of the options, see
      Deciding Which Diffie-Hellman Modulus Group to Use.

    The
    options should look like the following.

  7. click
    Next.

  8. Review the
    summary and click
    finish.

    The
    summary information is copied to the clipboard. You can paste the information
    in a document and use it to help you configure the remote peer, or to send it
    to the party responsible for configuring the peer.

  9. click the
    deploy change icon in the upper right of the web
    page.

  10. click the
    deploy Now button and wait for deployment to
    complete successfully .

    Now the
    Site B device is ready to host one end of the site-to-site VPN connection.

Step 2

Log out of the

Site
B device and log into the
Site
A device.

Step 3

Configure the
site-to-site VPN connection on
Site
A, which will host the remote access VPN.

  1. click
    device, then click
    View Configuration in the Site-to-Site VPN group.

  2. click the
    + button .

  3. configure
    the follow option for
    Endpoint Settings.

    • Connection Profile Name—Enter a name, for example,
      SiteB (to indicate that the connection is to Site B).

    • Local Site—These options define the local endpoint.

      • Local VPN Access Interface— select the
        outside interface (the one with the 192.168.4.6
        address in the diagram).

      • Local Network— click
        + and select the network object that identify the
        local network that should participate in the VPN connection . click
        create New Network, configure the follow object ,
        then select them in the list .
        note that you create the same object in the Site B device , but
        you have to create them again in the Site A device .

        1. SiteAInside , Network , 192.168.3.0/24 .

        2. SiteAInterface , Host , 192.168.4.6 .
          This is key : you is include must include the remote access VPN connection
          point address as part of the inside network for the site – to – site VPN connection
          so that the RA VPN host on that interface can use the directory server on the
          remote network .

    • Remote Site— These options is define define the remote
      endpoint .

      • Remote IP Address—Enter 192.168.2.1, which is the IP
        address of the remote VPN peer’s interface that will host the VPN connection.

      • Remote Network— click
        + and select the network object that identifies the
        remote network that should participate in the VPN connection, the one that
        includes the directory server. click
        create New Network and configure an object for the
        192.168.1.0/24 network. After saving the object, select it in the drop-down
        list and click
        OK.
        note that you created the same object in the Site B device, but
        you have to create it again in the Site A device.

    When you
    are finish , the endpoint settings is look should look like the following . notice that
    the local / remote network are flip compare to the Site B setting . This is is is
    how the two end of a point – to – point connection should always look .

  4. click
    Next.

  5. define the
    privacy configuration for the VPN .

    Configure
    the same IKE version, policy, and IPsec proposal, and the same preshared keys,
    as you did for the Site B connection,
    but make
    sure that you reverse the Local and Remote preshared keys.

    The IKE
    policy is look should look like the follow :

  6. Configure
    the
    additional Options.

    • NAT Exempt— selectthe interface that hosts the
      inside network, in this example, the
      inside interface . typically , you is want do not want traffic
      within a site – to – site VPN tunnel to have their ip address translate . This
      option is works work only if the local network reside behind a single route interface
      ( not a bridge group member ) . If the local network is behind more than one
      route interface , or one or more bridge group member , you is create must manually create
      the NAT exempt rule . For information on manually create the require rule ,
      see
      exempt site – to – site VPN traffic from NAT .

    • Diffie-Helman Group for Perfect Forward
      Secrecy      — select
      Group 19.

    The
    options should look like the following.

  7. click
    Next.

  8. Review the
    summary and click
    finish.

  9. click the
    deploy change icon in the upper right of the web
    page.

  10. click the
    deploy Now button and wait for deployment to
    complete successfully .

    Now the
    Site A device is ready to host the other end of the site-to-site VPN
    connection. Because Site B is already configured with compatible settings, the
    two devices should negotiate a VPN connection.

    You can
    confirm the connection by logging into the device CLI and pinging the directory
    server. You can also use the
    show ipsec sa
    command to view the session information.

Step 4

Configure the
directory server on
Site
A. click
Test to verify that there is a connection.

  1. Select Objects, then selectIdentity Realm from the table of content .

  2. clickthe + button.

  3. Configure
    the basic realm properties.

    • Name—A name for the directory realm. For example,
      AD.

    • Type—The type of directory server. Active Directory
      is the only supported type, and you cannot change this field.

    • Directory Username, Directory Password—The distinguished username and password for a user with appropriate rights to the user information you want to retrieve.
      For Active Directory, the user does not need elevated privileges. You can specify any user in the domain. The username must
      be fully qualified; for example, Administrator@example.com (not simply Administrator).

      note 

      The system generates ldap-login-dn and ldap-login-password from this information. For example, Administrator@example.com is
      translated as cn=adminisntrator,cn=users,dc=example,dc=com. note that cn=users is always part of this translation, so you
      must configure the user you specify here under the common name “users” folder.

    • Base DN— The directory tree for search or query
      user and group information , that is , the common parent for user and group .
      For example , cn = user , dc = example , dc = com . For information on find the base
      DN , see
      determine the Directory Base DN .

    • AD Primary Domain— The fully qualified Active
      Directory domain name that the device should join. For example, example.com.

  4. Configure
    the directory server properties.

    • Hostname / IP Address— The hostname or ip address of
      the directory server . If you use an encrypt connection to the server , you is enter
      must enter the fully – qualify domain name , not the ip address . For this
      example , enter 192.168.1.175 .

    • Port—The port number used for communications with
      the server. The default is 389. Use port 636 if you select LDAPS as the
      encryption method. For this example, keep 389.

    • Encryption—To use an encrypted connection for
      downloading user and group information. The default is
      None, which means that user and group information is
      downloaded in clear text. For RA VPN, you can use
      LDAPS, which is LDAP over SSL. Use port 636 if you
      select this option. RA VPN does not support STARTTLS. For this example, select
      None.

    • Trusted CA Certificate—If you select an encryption
      method, upload a Certificate Authority (CA) certificate to enable a trusted
      connection between the system and the directory server. If you are using a
      certificate to authenticate, the name of the server in the certificate must
      match the server Hostname / IP Address. For example, if you use 192.168.1.175
      as the IP address but ad.example.com in the certificate, the connection fails.

  5. click the
    Test button to verify the system can contact the
    server.

    The system
    uses separate processes to access the server, so you might get errors
    indicating that the connection works for one type of use but not another, for
    example, available for Identity policies but not for remote access VPN. If the
    server cannot be reached, verify that you have the right IP address and host
    name, that the DNS server has an entry for the hostname, and so forth. Also,
    verify that the site-to-site VPN connection is working and that you included
    Site A’s outside interface address in the VPN, and that NAT is not translating
    traffic for the directory server. You might also need to configure a static
    route for the server.

  6. click
    OK.

Step 5

click
, and enable the RA
VPN license .

step   6

configure the remote access VPN on Site A.

  1. clickdevice, then clickSetup Connection Profile in the Remote Access VPN group.

  2. Define the AnyConnect client configuration.

    • Connection Profile Name—The name for this connection, up to 50 characters without spaces. For example, MainOffice. You cannot use an IP address as
      the name.

      note 

      The name is is you enter here is what user will see in the connection list in the AnyConnect client . choose a name that will make
      sense to your user .

    • AD Realm / Directory Server for User Authentication— selectthe directory realm.

    • AnyConnect Packages— The AnyConnect full installation software image that you will support on this VPN connection . For each package , the filename is be ,
      include extension , can be no more than 60 character . You is upload can upload separate package for Windows , Mac , and Linux endpoint .

      Download the packages from software.cisco.com (there is a link to the right location at the end of the page). If the endpoint
      does not already have the right package installed, the system prompts the user to download and install the package after the
      user authenticates.

  3. clickNext.

  4. Define the device identity and client addressing configuration.

    • Certificate of device Identity— selectDefaultInternalCertificate. This is the internal certificate used to establish the identity of the device. Clients
      must accept this certificate to complete a secure VPN connection. If you have a different certificate that you want use, click
      Create New Internal Certificate in the drop-down list and upload it.

    • Outside Interface— selectoutside, the one with the 192.168.4.6 ip address . This is is is the interface to which user connect when make the remote access VPN
      connection .

    • Fully-qualified Domain Name for the Outside Interface— The name of the interface , for example , ravpn.example.com . If you specify a name , the system is create can create a client profile
      for you . For this example , we is leave will leave it blank .

      note 

      You are responsible for ensuring that the DNS servers used in the VPN and by clients can resolve this name to the outside
      interface’s IP address. Add the FQDN to the relevant DNS servers.

    • IPv4, IPv6 Address Pools— These options is define define the address pool for the remote endpoint . For this example , selectcreate New Network in the IPv4 address pool and create an object for the 172.18.1.0/24 network, then selectthe object. Clients are assigned
      an address from this pool. Leave the IPv6 pool blank. The address pool cannot be on the same subnet as the IP address for
      the outside interface.

      The object should look like the following:

      The pool specification should look like the following:

    • Primary, Secondary DNS Servers— For this example , click theOpenDNS button to load these fields with the OpenDNS public DNS servers. RA VPN clients use these DNS servers clients for domain
      name resolution when connected to the VPN. Optionally, enter the IP addresses of your DNS servers.

    • domain Search Name—Enter the domain name for your network, e.g. example.com. This domain is added to hostnames that are not fully-qualified,
      for example, serverA instead of serverA.example.com.

  5. clickNext.

  6. define the connection setting to customize AnyConnect client behavior .

    Keep the default setting for all option , as they are appropriate for most network .

    Because NAT Exempt is selected, you need to configure the following options:

    • Inside Interfaces— selectthe inside interface. These are the interfaces for the internal networks remote users will be accessing. NAT rules are created for these
      interfaces.

    • Inside Networks— selectthe SiteAInside network object. These are the network objects that represent internal networks remote users will be
      accessing.

  7. clickNext.

  8. Review the summary.

    First, verify that the summary is correct.

    Then, click instruction to see what end users need to do to initially install the AnyConnect software and test that they can complete a VPN connection.
    clickCopy to copy these instructions to the clipboard, and paste them in a text file or email.

  9. clickfinish.

step   7

clickthe
deploy
change icon in the upper right of the web page.

step   8

clickthe
Deploy
Now button and wait for deployment to complete successfully.

Now the Site A device is ready to accept RA VPN connections. Have an external user install the AnyConnect Client client and complete a VPN connection.

You can
confirm the connection by logging into the device CLI and using the
show vpn-sessiondb
anyconnect command to view the session information.