Contents x
    Cisco Firepower
    • 03 Mar 2025
    • 3 Minutes to read
    • Contributors
      Contents

      Cisco Firepower

      • Updated on 03 Mar 2025
      • 3 Minutes to read
      • Contributors
        Article summary

        Introduction

        This guide helps you to set up a Site-to-Site VPN tunnel between Harmony SASE network and the Cisco Firepower device.

        Breakdown of topics

        1. Pre-requisites
        2. Configuration Steps
        3. Verifying the Setup
        4. Troubleshooting
        5. Support Contacts

        Pre-requisites

        1. Harmony SASE Administrator Portal account and a configured network.
        2. Make sure you have installed the Harmony SASE Agent on your device.
        3. Active and licensed Cisco Firepower device with necessary administrative permissions.

        Configuring IPsec Tunnel

        To configure an IPsec Tunnel, do these:

        1. Log in to the Harmony SASE Administrator Portal.
        2. Click Networks.
        3. Select the network from which you want to create the tunnel to the Cisco Firepower.
        4. Clickand select Add Tunnel.
        5. Select IPSec Site-2-Site Tunnel and click Continue.
        6. Select Single Tunnel and click Continue.
        7. In the General Settings section, enter these:
          • Name: Enter a name for the tunnel.
          • Shared Secret: Enter a string or click Generate.
          • Public IP: Enter the public IP of the Firepower device.
          • Remote ID: Enter the remote ID of the Firepower device (this is same as Public IP unless the device is behind a NAT, then use the IP of the "outside" interface on the Firepower.)
          • Harmony SASE Gateway Proposal Subnets: Leave Any (0.0.0.0/0) selected.
          • Remote Gateway Proposal Subnets: Leave Any (0.0.0.0/0) selected.
        8. In the Advanced Settings section, specify these:
          • IKE Version: IKEv2
          • IKE Lifetime: 8h
          • Tunnel Lifetime: 1h
          • Dead Peer Detection Delay: 10s
          • Dead Peer Detection Timeout: 30s
          • Encryption (Phase 1): aes256
          • Encryption (Phase 2): aes256
          • Integrity (Phase 1): sha256
          • Integrity (Phase 2): sha256
          • Diffie-Hellman Groups (Phase 1): 14
          • Diffie-Hellman Groups (Phase 2): 14
        9. On your network, click and select Routes Table.
        10. Click Add Route.
          The Add Route window appears.
        11. Verify the field values.
        12. Click Add Route.
        13. Click Apply Configuration.

        Configuring the Tunnel in Cisco Firepower

        1. Login to your Cisco Firepower web console.
        2. Select your device.
        3. Find your Site-to-Site VPN configuration and click View Configuration.
        4. Clickto create a Site-to-Site Connection.
        5. Specify these:
          1. In the Connection Profile Name field, enter a name for your connection.
          2. In the Type section, select Route Based (VTI).
          3. Expand Local VPN Access Interface, and click Create new Virtual Tunnel Interface.
            The Create Virtual Tunnel Interface window appears.
        6. Enter a name for your VTI adapter, for example, harmony_sase_vti. 
        7. Turn on the Status toggle button.
        8. Enter a Tunnel ID.
        9. Set the source to your outside interface. 
        10. Set the IP and Subnet Mask to 169.254.2.122 / 255.255.255.252
        11. Click OK.
        12. From the Create Virtual Tunnel Interface list, select the newly created VTI object.
        13. In the Remote IP Address field, enter your Harmony SASE gateway IP address (found in your Harmony SASE Admin Panel).
        14. Click Next.
        15. Make sure the IKE VERSION 2 is enabled.
        16. In the IKE Policy section, for Globally applied, click Edit.
        17. Create a new policy with the settings that match the Phase 1 settings on the Harmony SASE side. Specify these:
          • Priority
          • Name
          • State - Enable
          • Encryption: AES256
          • Diffie-Hellman Group: 14
          • Integrity Hash: SHA256
          • Pseudo Random Function (PRF) Hash: SHA256
          • Lifetime: 28800
        18. Click OK.
        19. Click Edit by IPSec Proposal.
        20. Click Create new IPSec Proposal.
        21. Specify these:
          • Name
          • Encryption: AES256
          • Integrity Hash: SHA256
            Note:
            Select the Encryption and Integrity Hash to match the Harmony SASE side for Phase 2. 
        22. Click OK.
        23. In the Authentication Type section, select Pre-shared Manual Key.
        24. In the Local Pre-shared Key and Remote Peer Pre-shared Key fields, enter the Pre-shared Key that you created on the Harmony SASE portal.
        25. In the Lifetime Duration field, enter 3600.
        26. In the Diffie-Hellman Group for Perfect Forward Secrecy field, enter 14.
        27. Click Next.
        28. Click Finish.
        29. Click to deploy changes to apply the new tunnel.

        Configuring the Static Route in the Cisco Firepower

        1. Select your device.
        2. In the Routing section, click View Configuration.
        3. Click to add a new static route.
          The Add Static Route window appears.
        4. In the Name field, enter a name for your static route.
        5. In the Description field, enter a description.
        6. From the Interface list, select the interface you created in Configuring the Tunnel in the Cisco Firepower step 6.
        7. In the Networks section, click .
        8. Click Create new Network.
          The Add Network Object window appears.
        9. Specify these:
          • Name
          • Description
          • Type - Network
          • Network - 10.255.0.0/16 (default)
        10. Click OK.
        11. In the Networks section, click .
        12. Select the object you just created.
        13. In the Gateway section, click Create new Network Object.
          The Add Network Object window appears.
        14. Specify these:
          • Name. For example, harmony_sase_vti_gateway
          • Description
          • Type - Host
          • Network - 169.254.2.121 (this is the corresponding side of your VTI adapter)
        15. Click OK.
          The new route is added.
        16.  Click  to deploy changes to apply the new route.

        Configuring Firepower Policies Allowing Traffic Flow

        To configure Cisco Firepower policies to allow traffic to flow:

        1. Go to Policies and click to add a new access rule.
        2. Configure either 1 bidirectional rule or 2 unidirectional rules.
          For example: Creating a single bidirectional rule.
          1. Enter an order number. Make sure this rule is not after a block rule that affects this traffic.
          2. Enter a title. For example, harmony_sase_allow.
          3. Set your Source zones and Networks.
          4. Add an entry for inside_zone and outside_zone.
          5. Add a network entry for your harmony_sase_network object.
          6. Repeat the same for the Destination.
        3. Click OK.

          Once you add the rule, the table should display:
        4. Click  to deploy changes to apply the new route.
        Was this article helpful?
        What's Next