Cisco ASA (Route Based)

Introduction

Welcome to our guide on setting up a Site-to-Site VPN tunnel between your Harmony SASE network and the Cisco ASA (Route-based) environment.

Breakdown of topics

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

Pre-requisites

To successfully follow this guide, ensure that:

1. An active Harmony SASE account and a configured network.
2. The Harmony SASE application is installed on your devices.
3. An active Cisco ASA (Route-based) setup with necessary administrative permissions.

   
   

Configuration Steps

Configuring an IPSec Tunnel in the Management Platform

1. In the Harmony SASE Management Console, open the Networks menu, and navigate to the network from which you want to create the tunnel to the Cisco ASA Firewall.
2. Select the three-dotted menu (...) and select Add Tunnel.
3. Select IPSec Site-2-Site Tunnel and select Continue.
4. Select Single Tunnel, and Click Continue.
   
5. In the General Settings section, fill in the following information:
   • Name: Choose whatever name you find suitable for the tunnel.
   • Shared Secret: Insert a string of your own or use Generate.
   • Public IP: Insert the public IP of the ASA device.
   • Remote ID: Insert the remote ID of the ASA device (this will be the same as Public IP unless the device is behind a NAT, then use the IP of the "outside" interface on the ASA.)
   • Harmony SASE Gateway Proposal Subnets: Leave Any (0.0.0.0/0) selected here.
   • Remote Gateway Proposal Subnets: Leave Any (0.0.0.0/0) selected here.
     
6. In the Advanced Settings section complete the following information:
   
   • IKE Version: IKEv2
   • IKE Lifetime: 8h
   • Tunnel Lifetime: 1h
   • Dead Peer Detection Delay: 10s
   • Dead Peer Detection Timeout: 30s
   • Encryption (Phase 1): aes256
   • Encryption (Phase 2): aes256
   • Integrity (Phase 1): sha512
   • Integrity (Phase 2): sha512
   • Diffie-Hellman Groups (Phase 1): 21
   • Diffie-Hellman Groups (Phase 2): 21
     
7. On your network select your three dots and click on Routes Table:
8.  Click the Add Route button on the top right, then on this popup fill out accordingly (Tunnel will match the name above, and Subnets will be the subnets you want to reach on the other side of the tunnel) and click the Add Route button:
9. Be sure to click Apply Configuration when done.
   

Configuring the tunnel in the ASA (CLI)

Do either CLI or ASDM (below), not both!

In this next part, please adjust the following values according to your unique site configurations: 

• outside - Your public-facing interface in the Cisco ASA.
• 131.226.X.X - Your Harmony SASE gateway IP.
• SuperSecret - Your Shared Secret for the tunnel.
• 10.255.0.0/16 - Your Harmony SASE network subnet range. (10.255.0.0/16 by default)

This document also makes the following assumptions about your device:

• You have never configured IKEv2 policies on this device. (policy 10)
• You have never enabled IKEv2 on the outside interface. (crypto ikev2 enable outside)

Steps:

1. SSH into your ASA with a privilege-15-level account and then enter enable mode.
2. Start by creating a tunnel profile and proposal(these will need to match the settings you configured on Harmony SASE):

   crypto ipsec ikev2 ipsec-proposal Tun-Prop
    protocol esp encryption aes-256
    protocol esp integrity sha-512
   
   crypto ipsec profile Tun-Prof
    set ikev2 ipsec-proposal Tun-Prop
    set pfs group21
    set security-association lifetime seconds 3600

3. Next, create a crypto policy (these will need to match the settings you configured on Harmony SASE):

   crypto ikev2 policy 10
    encryption aes-256
    integrity sha512
    group 21
    prf sha512
    lifetime seconds 28800
   crypto ikev2 enable outside

4. Select IPsec IKEv2 Tunnels and create a new tunnel, then fill in the following information:

   group-policy Tun-Grp-Pol internal
   group-policy Tun-Grp-Pol attributes
    vpn-tunnel-protocol ikev2
   
   tunnel-group 131.226.X.X type ipsec-l2l
   tunnel-group 131.226.X.X general-attributes
    default-group-policy Tun-Grp-Pol
   tunnel-group 131.226.X.X ipsec-attributes
    ikev2 remote-authentication pre-shared-key SuperSecret
    ikev2 local-authentication pre-shared-key SuperSecret

5. Create your Virtual Tunnel Interface (VTI). Please be sure to use the IP address in the text:

   interface Tunnel1
    nameif P81_131.226.X.X
    ip address 169.254.2.122 255.255.255.252
    tunnel source interface outside
    tunnel destination 131.226.X.X
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile Tun-Prof

6. Create a route back to the Harmony SASE subnet:

   route P81_131.226.X.X 10.255.0.0 255.255.0.0 169.254.2.121 1
   

Configuring the tunnel in the ASA (ASDM)

Do either CLI (above) or ASDM, not both!

Like the CLI configurations, please adjust the following values according to your unique site configurations: 

• outside - Your public-facing interface in the Cisco ASA.
• 131.226.X.X - Your Harmony SASE gateway IP.
• SuperSecret - Your Shared Secret for the tunnel.
• 10.255.0.0/16 - Your Harmony SASE network subnet range. (10.255.0.0/16 by default)

This document also makes the following assumptions about your device:

• You have never configured IKEv2 policies on this device. (policy 10)
• You have never enabled IKEv2 on the outside interface. (crypto ikev2 enable outside)

Steps:

1. Login to your device using ASDM.
2. Start by creating a tunnel profile and proposal (these will need to match the settings you configured on Harmony SASE). 
   • Click on Configuration > Site-to-site VPN > Advanced > IPsec Proposals (Transform Sets):
   • Add an IKEv2 IPsec Proposal by clicking the Add button under the IKE v2 IPsec Proposals section:
     

     Name: Tun-Prop
     Encryption:aes-256 Integrity
     Hash: sha-512

   • Add an IPsec Profile by clicking the Add under the IPsec Profile section:

     Name: Tun-Prop
     IKE v2 IPsec Proposal: Tun-Prof (use the same name as above under the IKEv2 IPsec Proposal, in our example Tun-Prop)
     Enable Security association lifetime: kilobytes (leave blank)
     seconds: 3600 PFS Settings: group21

3.  After that is done you should have a screen like this, click Apply and Save.
   
4. Next, make a crypto policy by navigating to Configuration > Site-to-Site VPN > Advanced > IKE Policies. These will need to match the settings you configured on Harmony SASE.
   • Add an IKE v2 Policy Proposal by clicking the Add button under the IKEv2 Policies:

     Priority: 10
     D-H Group: 21
     Encryption: AES-256
     Integrity Hash: sha512
     Pseudo-Random Function (PRF) Hash: sha512
     Lifetime: 28800 seconds

5. Navigate to Configuration > Site-to-Site VPN > Group Policies and click the Add button
   

   Name: Tun-Grp-Pol (this can be any name you want, but will be used in the next step)
   Tunneling Protocols: only select IPsec IKEv2

6.  Navigate to Configuration > Site-to-Site VPN > Advanced > Tunnel Groups and click the Add button:
   

   Text Name: 131.226.X.X (This should match the Harmony SASE Gateway IP)
   Group Policy Name: Tun-Grp-Pol (from the last step)
   Local Pre-Shared Key: SuperSecret (Same key as on Harmony SASE) 
   Remote Pre-Shared Key: SuperSecret (Same key as on Harmony SASE)
   

7.  Navigate to Configuration > Device Setup > Interface Settings > Interfaces and click the down by the Add button then select VTI Interface:
   • On the General tab:
     Text

     VTI ID: 1 
     Interface Name: P81_131.226.X.X
     IP Address: 169.254.2.122 255.255.255.252 (use this IP)
     Subnet Mask: 255.255.255.252 (use this mask)
     Description: Tunnel to Perimeter81 (Optional)

     
     
   • Click on the Advanced tab:
     
     Text

     Destination IP: 131.226.X.X (Harmony SASE Gateway IP
     Source Interface: outside (name of your outside interface)
     Tunnel Protection with Ipsec Profile: Tun-Prof
     Put a checkmark next to Enable Tunnel Mode IP overlay for Ipsec and select the Ipv4 radio button
     
     

     
     
8. Create a route back to the Harmony SASE subnet:
   1. Start by creating a Network Object for the Harmony SASE network by navigating to Configuration > Firewall > Objects > Network Objects/Groups then clicking the Add > Network Object button:

      Name: Perimeter81Network
      Type: Network
      IP Version: IPv4
      IP Address: 10.255.0.0 (make this the same as your Harmony SASE Network range)
      Netmask: 255.255.0.0 (or a /16 in CIDR notation, this should match with your Harmony SASE network as well)

   2. Next create a gateway object by navigating to Configuration > Firewall > Objects > Network Objects/Groups then clicking the Add > Network Object button:
      

      Name: P81Gateway
      Type: Host
      IP Version: IPv4
      IP Address: 169.254.2.121 (use this address)
      

      After these are created hit the Apply button.
   3. Finally navigate to Configuration > Device Setup > Routing > Static Routes then click the Add button:

      IP Address Type: IPv4
      Interface: P81_131.226.X.X (Same name as tunnel interface above)
      Network: Perimeter81Network (Use the 3 dots to select)
      Gateway IP: P81Gateway (Use the 3 dots to select)

Verifying the Setup

After following the above steps, your tunnel should be active.
To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
It should indicate that the tunnel is "Up", signifying a successful connection.
Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.

Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.