1、#CiscoLive#CiscoLiveJeff Fanelli,Principal Archite�������ctjefanellBRKSEC-3058With Secure FirewallRoute Based VPNs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessio
2、nFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco an�������d/or its affiliates.All rights reser
3、ved.Cisco PublicBRKSEC-30583 2023 Cis�����co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbstractComplexity of SD-WAN and cloud based VPN use cases means customers need more advanced VPN capabilities in their firewall platforms.This 90 minute breakout session will detail a�����dvanced use
4、case designs for Secure Firewall Threat Defense and ASA VTI(Virtual Tunnel Interface)based VPN use cases and associated WAN routing protocols.Hub and spoke VPN,full mesh VPN,and SASE tunnel ������connectivity to Cisco Umbrella use cases will be detailed,along with brief troubleshooting overviews.�������BRKSEC-30
5、584Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicVPN Technology OverviewVPN Tunnel Interface����s Secure Firewall VPN DesignDetailed CLI WalkthroughFirewall Management Center GUI WalkthroughMonitoring&TroubleshootingConclusionBRKSEC-30585 2023 Cisco and/or its affiliates.All ri
6、ghts reserved.Cisco Publ������ic#CiscoLiveAbout MeJeff FPrincipal Architect17 years Cisco38+CiscoLive!PresenterHusband+fatherPrivate pilotSlave to three wiener dogsBRKSEC-30586 202������3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlatform names and abbreviationsCisco Secure Firewall
7、Product line nameCisco Secure Firewall ASA Adaptive Security Appliance“ASA”(software platform)Cisco Secure Firewall Threat DefenseFirepower Threat Defense“FTD”(software platform)Catalyst 8000 Edge Product line nameInternet Operating System“IOS”(or IOS-XE)(software platform)BRKSEC-30587VPN Tech�����nology
8、 Overview 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnderlay&OverlayUnderlay NetworkOverlay NetworkBRKSEC-30589 2023 Cisco and/or its affiliates��������.All rights reserved.Cisco Public#CiscoLiveUnderlay&OverlayVPNUnderlay NetworkOverlay NetworkBRKSEC-305810 202������3 Cisco and/o
9、r its affiliates.All rights reserved.Cisco Public#CiscoLiveVPNs per platformCryptoCrypto MapMapGRE over IPSecGRE over IPSecw/Cryptow/Crypto MapMapEZVPNEZVPNVTIVTIDMVPNDMVPNFlexVPNFlexVPNIOS/IOSIOS/IOS-XEXEYesYesYesYesYesYesASAASAYesNoYesYes�������NoNo*FTDFTDYesNoYesYesNoNo*Cisco IPSec VPNsTunnel-less Encry
10、ptionSite-SiteSite-Site,Any-to-Any(GETVPN)Remote-AccessOverlay IPSec VPNs*Limited integration is possibleNot recommendedIOS OnlySession Focus!BRKSEC-305811 2023 Ci�������sco and/or its affiliates.All rights reserved.Cisco Public������#CiscoLiveCrypto MapFirst implementation of IPSec VPNs used on Cisco devices.Tr
11、affic to be encrypted is defined by an ACL(crypto ACL).Configuration nightmare:Mismatched ACLsA�������CL update requirements.crypto isakmp policy 10encr aesauthentication pre-sharegroup 2 crypto isakmp key cisco123 address 172.16.1.1!crypto ipsec transform-set TS esp-aes esp-sha-hmacmode tunnel!access-list
12、 110 permit ip 10.20.10.0/24 10.10.10.0/24access-list 110 permit ip 10.20.10.0/24 10.10.20.0/24acc�������ess-list 110 permit ip 10.20.10.0/24 10.10.30.0/24crypto map outside_map 10 ipsec-isakmpset peer 172.16.1.1 set transform-set TSmatch address 110!interface GigabitEthernet0/0ip address 172.17.1.1 255.25
13、5.255.0crypto map outside_mapBRKSEC-305812 2023 Cisco and/or its affil�������iates.All rights reserved.Cisco Public#CiscoLiveDynamic Crypto MapDynamically accepts remote(initiating)peers IP address.Any proposed traffic selector will be a�������ccepted from authenticate peer.The DVTI technology replaces dynamic cr
14、ypto maps as a dynamic hub-and-spoke method for establishing tunnels.crypto ipsec transform-set TS esp-aes esp-sha-hmacmode tunnel!crypto dynamic-map dynamic_map 10set transform-set TS reverse-route!crypto map outside_map 10 ip�������sec-isakmp dynamic dynamic_map!interface GigabitEthernet0/0ip address 172
15、.17.1.1 255.255.255.0crypto map outside_mapBRKSEC-305813VPN Tunnel Interfaces 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTunnel Int����erfaceTunnel Interface interconnects underlay and overlay network.Supports various encapsulation types GRE IPv4/IPv6,Native IPSec IPv4/IP
16、v6Main building block for IOS IPSec VPNs mGRE(DMVPN),Static/Dynamic(FlexVPN)also supported on ASA/FTDTUNNEL TUNNEL INTERFACEINTERFACEOverlayOverlayUnde������rlayUnderlayBRKSEC-305815 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPSec Virtual �����Tunnel InterfaceProvides a virtual
17、 routable interface for terminating IPsec tunnels.Simplifies the configuration of IPsec for protec�������tion of remote linksSupports multicast and simplifies network management(IOS only).The VTI tunnel is always up(does not need“interesting traffic”)IPSec VTIIPSec�������� VTIBRKSEC-305816 2023 Cisco and/or its af
18、filiates.All rights reserved.Cisco Public#CiscoLiveIPSec Tunnel Interface Types-StaticStatic Tunnel Interfaceinterface Tunn����el1nameif tunnel-to-dc(ASA/FTD only)ip unnumbered Loopback1(ASA 9.19+FTD 7.3+)tunnel source GigabitEthernet2tunnel mode ipsec ipv4tunnel destination 10.0.0.2 tunnel protection i
19、psec profile defaultTu010.0.0.1Tu010.0.0.2VTTuStatic TunnelBRKSEC-305817 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPSec Tunnel Interface Types-DynamicDynamic Tunnel Interfaceinte�������rface Virtual-Template1 type tunnelnameif tunnel-to-dc(ASA/FTD only)ip unnumbered Loopba
20、ck1(A������SA 9.19+FTD 7.3+)tunnel source GigabitEthernet2tunnel protection ipsec profile defaultTu010.0.0.1Tu0VT110.0.0.2VA1TuVAStatic TunnelVirtual TemplateVirtual AccessVTinterface Virtual-Access1 ip unnumbered Loopback1tunne����l source GigabitEthernet2 tunnel destination 10.0.0.1 tunnel protection ipsec
21、profile default no tunnel protection ipsec initiateSpokeSpokeHubHubDynamic Virtual Tunnel Interfaces(DVTI)are introduced in ASA 9.19 and FTD 7.������3BRKSEC-305818-Virtual-Access show command only available in IOS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIKEv2 Dynamic VTI
22、 Configuration(IOS)crypto i��������kev2 authorization policy defaultroute set remote ipv4 10.0.0.0 255.0.0.0!crypto ikev2 profile defaultmatch identity remote anyauthentication remote pre-share key ciscoauth�����entication local pre-share key ciscoaaa authorization group psk list flex default localvirtual-templa
23、te 1!interface Virtual-Template1 type tunnelip unnumbered Loopback1ip ospf 1 area 1tunnel source GigabitE����thernet2tunnel mode i�����psec ipv4tunnel protection ipsec profile defaultcrypto ikev2 authorization policy defaultroute set remote ipv4 10.0.2.0 255.255.255.0!crypto ikev2 profile defaultmatch identi
24、ty remote address 10.0.12.1authentication remote pre-share key ciscoauthentication local pre-share key ciscoaaa authorizati��������on group psk list flex default local!interface Tunnel1ip address 192.1����68.1.2 255.255.255.255tunnel source GigabitEthernet2tunnel mode ipsec ipv4tunnel destination 10.0.12.1tunne
25、l protection ipsec profile default!interface ������GigabitEthernet2ip address 10.0.23.2 255.255.255.0HubSpokeGi2:10.0.12.1/24Gi2:10.0.23.2/24HubSpokeVa1:192.168.1.1/32Tu1:192.168.1.2/3210.0.1.0�����/2410.0.2.0/24BRKSEC-305819 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIKEv2 Mult
26、i-SA Static VTIBy default,the traffic selector for an SVTI is set to any any.From Cisco IOS XE 16.12.1 we can def������ine and associate an ACL with an SVTI.Supported in ASA 9.19+and FTD 7.3+IPSec SAs are created for each non-any-any traffic selector,and thus,multiple SAs are attached to an SVTI.BRKSEC-30
27、5820 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIKEv2 Multi-SA SVTI-Configurationcrypto ikev2 profile defaultmatch identity remote 10.0.����23.2authentication rem���������ote pre-share key ciscoauthentication local pre-share key ciscoaaa authorization group psk list flex default l
28、ocal!crypto ipsec profile defaultreverse-route!ip access-list extended SVTI_ACLpermit ip 172.16.1.0 0.0.0.255 172.30.������3.0 0.0.0.255 permit ip 172.16.2.0 0.0.0.255 172.30.4.0 0.0.0.255!interface Tunnel1ip address 192.168.1.1 255.255.255.252tunnel source GigabitEthernet2tunnel mode ipsec ipv4tunnel des
29、tination 10.0.23.2tunnel protection ipsec policy ipv4 SVTI_ACLtunnel protection ipsec profile defaultcrypto ikev2 profile defaultmatch identit�����y remote 10.0.12.1authentication remote pre-share key ciscoauthentication local pre-share key ciscoaaa authorization group psk list flex default local!crypto
30、ipsec profile defaultreverse-route!ip access-list extended SVTI_ACLpermit �����ip 172.30.3.0 0.0.0.255 172.16.1.0 0.0.0.255 permit ip 172.30.4.0 0.0.0.255 172.16.2.0 0.0.0.255!interface Tunnel1ip address 192.168.1.2 255.255.255.252tunnel source GigabitEthernet2tunnel mode ipsec ipv4tunnel destination 10.
31、0.12.1tunnel protection ipsec policy ipv4 SVTI_ACLtunnel protection ipsec profile defaultRouter1Router2Gi2:10.0.12.1/24Gi2:10.0.23.2/24Router1Router2Tu1:192.168.1.1/32Tu1:192.168.1.2/32172.16.1.0/24172.16.2.0/24172.30.3.0/24172.30.4.0/24BRKSEC-305821Sec�����ure Firewall VPN Design 2023 Cisco and/or its a
32、ffiliates.All rights reserved.Cisco Public#CiscoLiveVPN Features from ASA 9.7 and FTD 6.7 forward:Stat�������ic VTI TunnelsBGP routing supportPer-peer IKEv2 custom identity attributes(FTD 7.1)Configs shown will be ASA CLI.(identical to FTD deployed configuration)New ASA and FTD capabilitiesNew in the ASA 9
33、.19/FTD 7.3Loopback interfacesIKEv2 config-exchange for peer interface IP sharing(simplifies BGP peering)Dynamic VTI support on ASA/FTD for VPN“hub”Can also use IOS for VPN hubBRKSEC-305823 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci��������scoLiveExample Design Requirements and Ass
34、umptionsScaled Deployment/hub-and-spoke topologyProvide security using cryptographical�����ly protected tunnels.Headend redundancy with 15 seconds convergenceBranches can include ASA/FTD BRKSEC-305824 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSingle/Double Hub&Spoke desig
35、n using VTIHubs can be IOS,ASA 9.19+or FTD 7.3+For Secure Firewall Hubs:Use separate VPN topology configuration for each VPN HubBackup hub can be configured for each topology1024 maximum spokes per hubRouting protocol requiredHub1Hub2Spoke1Spoke2Hub-Spoke���� Topology 1Hub-Spoke Topology 2BRKSEC-305825
36、2023 Cisco and/or its affil�����iates.A���ll rights reserved.Cisco Public#CiscoLiveSingle DVTI Hub design with 3 SVTI Spokes(details!)ASA 9.19+or FTD 7.3+Hub1Spoke 3Spoke1Spoke21.0.1.2/321.0.1.3/321.0.1.1/321.0.1.4/32Requirements1.”Nailed-up”spoke connections to hub2.Any spoke can talk to all other hub and
37、spoke networks.3.Loopbacks used for spoke VTI IP addresses4.Loopbacks can“ping”each other for validationBRKSEC-305826 �����2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHub Firewall configuration(ASA or FTD)interfac������e Loopback1nameif loopback1ip address 1.0.1.1 255.255.255.255
38、!interfa����ce Virtual-Template1 type tunnelnameif management_dynamic_vti_1ip unnumbered loopback1tunnel source interface outsidetunnel mode ips������ec ipv4tunnel protection ipsec profile FMC_IPSEC_PROFILE_1crypto ipsec ikev2 ipsec-proposal CSM_IP_1protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcmproto
39、col esp �������integrity nullcrypto ipsec profile FM�����C_IPSEC_PROFILE_1set ikev2 ipsec-proposal CSM_IP_1tunnel-group 38.x.x.83 ipsec-attributesvirtual-template 1 ikev2 remote-authentication pre-shared-key*ikev2 local-authentication pre-shared-key*ikev2 route set interfacerouter bgp 65000address-family ipv4 u
40、nicastneighbor 1.0.1.2 remote-as 65002neighbor 1.0.1.2 ebgp-multihop 2neighbor 1.0.1.2 transport path-mtu-discovery disableneighbor 1.0.1.2 activatenetwork 1.0.1.0 mask 255.255.255.0redistribut�������e staticexit-address-familyiBGP configuration requires neighbor entry for every ASA/FTD/IOS peer(no pe�����er-gr
41、oup support)Crypto proposals must match.Peer �����spoke tunnel-group peer name should match what peer is providing via IKEv2 identity(can also use L2Ltunnel-group for dymamic spokes)New loopback����� support supporting/32 mask and Virtual-Template(DVTI)support for“hub”support on ASA/FTD”route set interface”en
42、ables hub to learn spoke interface IP via IKEv2 config exchange*(new)Redistributes”V”IKEv2 learned routes into BGPBRKSEC-305827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStatic Spoke using Loopback-ASA 9.19.1+/FTD 7��������.3+interface Loopback1nameif loopback1ip address 1.0
43、.1.2 255.255.255.255 tunnel-group 38.x.x.81 type ipsec-l2ltunnel-group 38.x.x.81 general-attributesdefault-group-policy.DefaultS2SGro�����upPolicytunnel-group 38.x.x.81 ipsec���-attributesikev2 remote-authentication pre-shared-key*ikev2 local-authentication pre-shared-key*ikev2 route set interface!crypto ip
44、sec ikev2 ipsec-proposal CSM_IP_1protocol esp encryption aes-gcm-256 aes-������gcm-192������ aes-gcmprotocol esp integrity nullcrypto ipsec profile FMC_IPSEC_PROFILE_1set ikev2 ipsec-proposal CSM_IP_1 interface Tunnel1nameif management_static_vti_1ip unnumbered loopback1tunnel source interface outsidetunnel des
45、tination 38.x.x.81tunnel mode ipsec ipv4tunnel protection ipsec profile FMC_IPSEC_PROFILE_1router bgp 65002bgp log-neig����hbor-changesbgp router-id 1.0.1.2bgp router-id vrf auto-assignaddress-family ipv4 unicastneighbor 1.0.1.1 remote-as 65000neighbor 1.0.1.1 ebgp-multihop 2neighbor 1.0.1.1 transport p
46、ath-mtu-discovery disableneighbo������r 1.0.1.1 act��������ivateno auto-summaryno synchronizationexit-address-familyLoopback support including/32 masksMust have unique AS per Spoke to ensure eBGP route sharing between hub and all spokes.Must have“ebgp-multihop 2”in order for BGP to build neighbor peers with loopb
47、ack“hop”in between.IKEv2 Route learning“ip unnumbered”support on tunnel interfacesBRKSEC-305828 2023 Cisco and/or its af��������filiates.All rights reserved.Cisco Public#CiscoLiveSpoke ASA config Pre-ASA 9.19.1/FTD 7.3hostname Spoke2domain�������-name Spoke2!crypto isakmp identity hostname!crypto ikev2 policy 10en
48、cryption aes-256integrity sha384 group 19prf sha384crypto ikev2 enable ������outside!crypto ipsec ikev2 ipsec-proposal IPSEC_PROPprotocol esp encryption aesprotocol esp integrity sha-1!crypto ipsec profile VTIset ikev2 ipsec-proposal IPSEC_PROP!tunnel-group 10.0.0.253 type ipsec-l2ltunnel-group 10.0.0.253
49、 ipsec-attributesikev2 remote-authentication pre-shared-key ciscoikev�����2 local-authentication pre-shared-key cisco!tunnel-group 10.0.0.254 type ipsec-l2ltunnel-group 10.0.0.254 ipsec-attributes ikev2 remote-authentication pre-shared-key ciscoikev2 local-authentication pre-shared-key ciscointerface Tun
50、nel1nameif VTIip address 172.16.1.5 255.255.255.254tunnel source interface outsidetunn�������el destination ������10.0.0.253tunnel mode ipsec ipv4tunnel protection ipsec profile VTI!interface Tunnel2nameif VTI2ip address 172.16.1.7 255.255.255.254 tunnel source interface outsidetunnel destination 10.0.0.254tunne
51、l mode ipsec ipv4tunnel protection ipsec profile VTI!route VTI 172.16.1.253 255.255.255.255 172.16.1.253 1route VTI2 172.16.1.254 255.255.255.255 172.16.1.254 1!router bgp 65000timers bgp 5 15 0 addres��������s-family ipv4 unicastneighbor 172.16.1.253 remote-as 65000 neighbor 172.16.1.253 activateneighbor������ 1
52、72.16.1.254 remote-as 65000 neighbor 172.16.1.254 activateredistribute connectedIKE IdentityIKEv2 and IPSec algorithmspre-share�����d-keysPrimary TunnelSecondary TunnelInstead of IKEv2 routingBRKSEC-305829 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSpoke router configurati
53、on IOS Exampleinside/172.16.1.1/24inside/172.16.1.1/24Hub1Hub2Spoke3FTDcrypto ikev2 profile defaultmatch identity remote fqdn domain hubidentity local fqdn Spoke1.routera��������uthentication local pre-share key authentication remo����te pre-share key aaa authorization group psk list FlexVPN default local!inter
54、face Tunnel101ip unnumbered Loopback101t�����unnel source GigabitEthe������rnet2tunnel destination 10.0.0.253tunnel protection ipsec profile default!interface Tunnel102ip unnumbered Loopback101tunnel source GigabitEthernet2tunnel destination 10.0.0.254tunnel protection ipsec profile default!router bgp 65000tim
55、ers bgp 5 15neighbor 172.16.1.253 remote-as 65000 neighbor 172.16.1.254 remote-as 65000!add������ress-family ipv4 network 192.168.101.0 mask 255.255.255.0()172.16.1.253/24172.16.1.253/24192.168.101.0/24192.168.102.0/24192.168.103.0/2410.0.0.25310.0.0.25310.0.0.25410.0.0.25410.0.0.110.0.0.1Primary TunnelSe
56、condary Tunnel10.0.0.210.0.0.2Spoke2(ASA)Spoke1(Rou�����ter)172.16.1.254/24172.16.1.254/24Reduced BGP timers for faster convergenceBRKSEC-305830 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConsiderations for different VPN spoke typesFirewall Management Center will always co
57、nfigure the most specific spoke configuration:Static IP address configuratio����n spokes will have spoke specific crypto peer settings configured on hub(with or without NAT IP configured).Examples in this session are static IP!DHCP configured peers will be configured �����to connect to”L2L”default tunnel-gro
58、upFMC will redeploy all spokes on any spoke add/change(will be addressed in 7.6).No outage on spoke re-deploy.BRKSEC-3�������05831 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFor dual hubs:Use two VPN topologies in Firewall Management CenterCan use same loopback interface on
59、spokes for both SVTI tunnel configsSeparate BGP AS numbers for each topologyDual Hub ConsiderationsHub1Hub2Sp������oke1Hub-Spoke Topology 1Hub-Spoke Topology 2Spoke2BRKSEC-305832Secure Firewall VPN DesignFirewall Management Center GUI 2023 Cisco and/or its affiliates.A����ll rights reserved.Cisco Public#Cisco
60、LiveHub Device Interface ConfigurationHub configuration“Virtual Template”int�������erface is created by VPN Topology configurationVirtual Template interface must”borrow”loopback address(recommended)Virtual Template interface is used to create ephemeral VTI interfaces as spokes connectBRKSEC-305834 2023 Cis
61、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSpoke Config(with borrowed IP from loopback)Create loopback interface firstSVTI interface configurati�����on for VPN topology can“borrow”this IP address(reco������mmended,requires 7.3)BRKSEC-305835 2023 Cisco and/or its affiliates.All rights re
62、served.Cisco Public#CiscoLiveHub DVTI Virtual-Template Interface ConfigCreate loopback interface firstBorrow IP from loopback(required for DVTI)BRKSEC-305836 2023�������� Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSite to Site VPN Topology with DVTIUnmanaged/external firewalls can
63、 be referenced in topologiesRouting protocol required on member devices to share routesHub and spoke ������VTI interface routes shared via IKE protocolBRKSEC-305837 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSite to Site VPN Dual TopologiesSame spokes in two separate hub to
64、pologiesRouting protocol used �������to p�����rioritize path selection(not shown)BRKSEC-305838 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSite to Site VPN TopologyDefault settings for IKEv2 are recommendedDeployed CLI config viewable from Devices-Threat Defense CLIUse these same
65、settings on ASA platforms for mixed deploymentsBRKSEC-305839 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHub routing ������table example“V”routes shared by IKEv2(only VTI interface routes)Can“ping”between VTI interfaces for testingBranch routes should be shared via routing p
66、rotocol(BGP etc)Spoke1Spoke1Hub1Hub1VirtualVirtual-Template1Template11.1.1.1/32Tunnel1Tunnel11.1.1.2/32Spoke2Spoke2�������Tunnel2Tunnel21.1.1.3/32BRKSEC-305840 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBGP Configuration Hub NotesAdvertise“supernet”(e.g.1.0.1.0/24)that all S
67、poke VTI tunnels are sourced from so spokes can ping each otherMust also Redistribute STATIC routes on hub so IKEv2“V”routes from s��������pokes get advertised out�����BRKSEC-305841 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBGP Configuration Hub and SpokesMust set TTL Hops to(at
68、le������ast)2 if using borrowed IP from loopback interface(best practice)as loopback-tunnel-VPN peer=2 hops!BRKSEC-305842 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv�����e1.Spokes(SVTI interfaces)build connection to Hub(DVTI-template created interface for each spoke)2.Hub and spo
69、kes exchange Tunnel IP each address with each other(shows up as“V”routes in respective routing tables).Hub&Spo��������ke Tunnel and Route Propagation Flow3.eBGP Neighbor relationships form between each spoke and hub(unique AS per spoke and hub)4.Hub learns advertised networks from behind each spoke5.Spokes
70、learn ALL other spoke routes advertised from hub,and any other networks behind hub.BRKSEC-305843 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL�����iveSingle DVTI Hub design with 3 SVTI SpokesASA 9.19+or FTD 7.3+Hub1Spoke 3Spoke1Spoke21.0.1.2/321.0.1.3/32V 1.0.1.1 255.255.255.25
71、5 connected by VPNB 1.0.1.3 255.255.255.255 20/0 via 1.0.1.1B 1.0.1.4 255.255.255.255 20/0 via 1.0.1.1B 192.168.51.64 255.255.255.192 20/0 via 1.0.1.11.0.1.1/321.0.1.4/32V 1.0.1.1 255.255.255.255 connected by VPNB 1.0.1.2 255.255.255.255 20/0 via 1.0.1.1B 1.0.1.3 255.255.255.255 20/0 via 1.�������0.1.1C 19
72、2.168.51.64 255.255.255.192 is directly connectedV 1.0.1.1 255.255.255.255 connected by VPNB 1.0.1.2 2�����55.255.255.255 20/0 via 1.0.1.1B 1.0.1.4 255.����255.255.255 20/0 via 1.0.1.1B 192.168.51.64 255.255.255.192 20/0 via 1.0.1.1V 1.0.1.2 255.255.255.255 connected by VPNV 1.0.1.3 255.255.255.255 connected
73、 by VPNV 1.0.1.4 255.255.255.255 connected by VPNB 192.168.51.64 255.255.255.192 20/0 via 1.0.1.4Spoke 1������:1.Builds VTI tunnel to hub2.Exchanges IKEv2 VTI routes3.Peers BGPSpoke 2:1.Builds VTI tunnel to hub2.Exchanges IKEv2 VTI routes3.Peers BGP4.Exchanges BGP RoutesSpoke 3:1.Builds VTI tunnel to hub2
74、.Exchanges IKEv2 VTI routes3.Peers BGP4.Exchanges BGP RoutesSpoke 1 Learned RoutesSpoke 2 Learned RoutesSpoke 3 Learned Routes+ConnectedHub Learned RoutesBRKSEC-305844 2023 Cisco and/or its affiliates.All rights reserv�������ed.Cisco Public#CiscoLiveSingle DVTI Hub design with 3 SVTI SpokesASA 9.19+or FTD
75、7.3+Hub1Spoke 3Spoke1Spoke21.0.1.2/321.0.1.3/32V 1.0.1.1 255.255.255.255 connected by VPNB 1.0.1.3 255.255.255.255 20/0 via 1.0.1.1B 1.0.1.4 255.255.255.255 20/0 via 1.0.1.1B 192.168.51.64 255.255.255.192 20/0 via 1.0.1.11.0.1.1/321.0.1.4/32V 1.0.1.1 255.255��������.255.255 connected by VPNB 1.0.1.2 255.255
76、.255.255 20/0 via 1.0.1.1B 1.0.1.3 255.255.255.255 20/0 via 1.0.1.1C 192.168.51.64 255.255.255.192 i�������s directly connectedV 1.0.1.1 255.255.255.255 connected by VPNB 1.0.1.2 255.255.255.255 20/0 via 1.0.1.1B 1.0.1.4 255.255.255.255 20/0 via 1.0.1.1B 192.168.51.64 255.255.255.192 20/0 via 1.0.1.1V 1.0.
77、1.2 255.255.255.255 connected by VPNV 1.0.1.3 255.255.255.255 connected by VPNV 1.0.1.4 255.255.255.255 connected by VPNB 192.168.51.64������� 255.255.255.192 20/0 via 1.0.1.4Spoke 1:1.Builds VTI tunnel to hub2.Exchanges IKEv2 VTI routes3.Peers BGPSpoke 1 Learned RoutesSpoke 2 Learned RoutesSpoke 3 Learned
78、 Routes+ConnectedHub Learned RoutesBRKSEC-3�����05845 2023 Cisco and/or its affiliates.All rights reserved.���Cisco Public#CiscoLiveSpoke 2:1.Builds VTI tunnel to hub2.Exchanges IKEv2 VTI routes3.Peers BGP4.Exchanges BGP RoutesSingle DVTI Hub design with 3 SVTI SpokesASA 9.19+or FTD 7.3+Hub1Spoke 3Spoke1Spo
79、ke21.0.1.2/321.0.1.3/32V 1.0.1.1 255.255.255.255 connected by VPNB 1.0.1.3 255.255.255.255 20/0 via 1.0.1.1B 1.0.1.4 255.255.255.255 20/0 via 1.0.1.1B 192.168.51.64 255.255.255.192 20/0 via 1.0.1.11.0.1.1/321.0.1.4/32V 1.0.1.1 255.255.255.255 connected by VPNB 1.0.1.2 255.255.255.25������5 20/0 via 1.0.1.
80、1B 1.0.1.3 255.255.255.255 20/0 via 1.0.1.1C 192.168.51.64 255.255.255.192 is directly connectedV 1.0.1.1 255.255��������.255.255 connected by VPNB 1.�������0.1.2 255.255.255.255 20/0 via 1.0.1.1B 1.0.1.4 255.255.255.255 20/0 via 1.0.1.1B 192.168.51.64 255.255.255.192 20/0 via 1.0.1.1V 1.0.1.2 255.255.255.255 conn
81、ected by VPNV 1.0.1.3 255.255.255.255 connected by VPNV 1.0.1.4 255.255.255.255 connected by VPNB 192.168.51.64 255.255.255.192 20/0 via 1.0.1.4Spoke 1 Learned RoutesSpoke 2 Learned RoutesSpoke 3 Learned Routes+ConnectedHub Learned RoutesBRKSEC-305846 2023 Cisco a�������nd/or its affiliate������s.All rights rese
82、rved.Cisco Public#CiscoLiveSpoke 3:1.Builds VTI tunnel to hub2.Exchanges IKEv2 VTI routes3.Peers BGP4.Exchanges BGP RoutesSingle DVTI Hub design with 3 SVTI SpokesASA 9.19+or FTD 7.3+Hub1Spoke 3Spoke1Spoke21.0.1.2/321.0.1.3/32V 1.0.1.1 255.255.255.255 connec�������ted by VPNB 1.0.1.3 255.255.255.255 20/0 v
83、ia 1.0.1.1B 1.0.1.4 255.255.255.255 20/0 via 1.0.1.1B 192.168.51.64 255.255.255.192 20/0 via 1.0.1.11.0.1.1/321.0.1.4/32V 1.0.1.1 255.255.255.255 connected by VPNB 1.0.1.2 255.255.255.255 20/0 via 1.0.1.1B 1.0.1.3 255.255.255.255 20/0 via 1.0.1.1C 192.168.51.64 255.255��������.255.192 is directly connect���edV
84、 1.0.1.1 255.255.255.255 connected by VPNB 1.0.1.2 255.255.255.255 20/0 via 1.0.1.1B 1.0.1.4 255.255.255.255 20/������0 via 1.0.1.1B 192.168.51.64 255.255.255.192 20/0 via 1.0.1.1V 1.0.1.2 255.255.255.255 connected by VPNV 1.0.1.3 255.255.255.255 connected by VPNV 1.0.1.4 255.255.255.255 connected by VP����NB
85、 192.168.51.64 255.255.255.192 20/0 via 1.0.1.4Spoke 1 Learned RoutesSpoke 2 Learned RoutesSpoke 3 Learned Routes+ConnectedHub Learned RoutesBRKSEC-305847 2023 Cisco and/or its affiliates.All rights reserved�������.Cisco Public#CiscoLiveYou must assign your Tunnel interfaces to a zone(e.g.VTI-Zone)Use this
86、 zone in your Access Control Policy like you would any other interface zone for traffic control and inspectionFirewall Policy ConsiderationsBRKSEC-305848 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface Path Monitor������ing is compatible with VTI tunnelsBest used for A
87、pplication based PBRUse routing protocol(e.g.BGP)for standard path redundancyFirewall Policy ConsiderationsBRKSEC-305849Automated SASE tunnels to Cisco Umbrella 2023 Cisco and/or its affiliates.All rights reserved.C������isco Public����#CiscoLiveFMC automates tunnel deployment for all spokes in one,simple top
88、ologyWizard uses direct IP numbering of VTI interface but �������can configure loop������back method if desiredGlobal Umbrella Data Center list populated from Umbrella APIAutomated Deployment of SASE/SSE TunnelsBRKSEC-305851 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC performs
89、tunnel creation on Umbrella side via API automation.Umbre�����lla-side tunnel configuration is performed at end of SASE tunnel wizard,before deployment of tunnel configurations to firewalls.Automated Deployment of SASE/SSE TunnelsBRKSEC-305852 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu
90、blic#CiscoLiveFMC pe�����rforms tunnel creation on Umbrella side via API automationUmbrella-side tunnel configuration is performed at end of SASE tunnel wizard,before deployment of tunnel configurations to firewallsTest Connection button ensures input validationUmbrella API key configuration in FMCBRKSEC
91、-305853 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUm������brella SASE tunnel configuration and monitoring unified with standard WAN configurations.Umbrella API key configuration in FMCRe-deploy Umbrella side tunnel configuration bu����ttonBRKSEC-305854 2023 Cisco and/or its af
92、filiates.All rights reserved.Cisco Public#CiscoLivePolicy Based Routing(PBR)is best practice for creating default/application ������specific routes to UmbrellaMust monitor IP of Internet resource(not Umbrella infra)Umbrella tunnels are inherently redundant(BGP AnyCast used to advertise data center head-en
93、d IP addresses)Umbrella SASE Tunnel ConsiderationsBRK�����SEC-305855 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSASE Tunnel status screen in Umbrella dashboard56BRKSEC-3058By default all RFC-1918 addresses are accepted on Umbrella s������ide of tunnel.Edit here to add additional
94、 networks 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSASE Tunnel status screen in Umbrella dashboardRedundant Tunnel Configuration data,traffic statistics etc.BRKSEC-305857Monitoring&Troubleshooting 2023 Cisco and/or its affiliates.All ri������ghts reserved.Cisco Public#Cis
95、coLiveSite to Site Monitoring in 7.459 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSite to Site M�������onitoring in 7.460 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVPN Packet Tracer in 7.3Policy and data plane tests for traffic across VTI tun
96、nelsNot supported from loopback or VTI interfaces(run from data interfaces only)61 2023 Cisco and/or its affiliates.All rights reserve����d.Cisco Public#CiscoLiveCLI configuration to onboard FT��������DvAllows management on outside interface for cdFMC connectivityPhysical firewalls offer“Low Touch Provisioning”
97、based on serial#to cdFMCVirtual firewalls offer CLI provisioning.“configure network management-data-interface”to manage firewall on outside interfaceBRKSEC-305862Conclusions 2023 Cisco and/or its affiliates.All rights r�����eserved.Cisco Public#CiscoLiveSecure Fir����ewall Threat Defense/ASADOs for ASA/FTD V
98、PNs:Use VTI interfaces for all site-to-site tunnels(including Cloud IaaS)Use to ASA 9.19 or FTD ������7.3+for DVTI HUB support!Must use routing protocol for DVTI hub spoke topologiesSVTI-SVTI tunnels can be statically routedScalable hub and spoke VPNs for up to 1,000 sites!DONT�����s for ASA/FTD VPNs:Dont forg
99、et to lo�����ck down tunnel interface(s)with Access Control List(ASA)or Access Control Policy(FTD)Dont forget to lock down IPSecProfiles for peers with complex,unique passwords and/or additional unique IKE identifiers.BRKSEC-305864 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLi
100、veFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-�������branded socks(while supplies last)!These�������� points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also ear
101、n 100 points in the Cisco Challenge for every survey completed.BRKSEC-305865 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ������icContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Cap
102、ture the Flag,and Walk-in LabsVisit the On-Demand Library for mo�����re sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive68Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the
103、Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR������� code:How:123468 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ�������icBRKSEC-3058#CiscoLive 2023 Cisco and/or its affiliates.All right
�����104、s reserved.Cisco Public#CiscoLivecrypto ikev2 profile firewallmatch identity remote fqdn domain firewall authentication remote pre-share key cisco authentication local pre-share key ciscoaaa authorization group psk list FlexVPN name-mangler extract-host virtual-template 1 mode autono config-exchange
105、 requestHubs IKEv2 profile selectionSpoke1.routercrypto ikev2 profile routermatch identity remote fqdn domain router authentication remote pre-share key cisco authentication local pre-share key ciscoaaa authorization group psk list FlexVPN name-mangler extract-domain virt������ual-template 1 mode autoHub1
106、Spo������ke2.firewallcrypto ikev2 authorization policy routerroute set interfacecrypto ikev2 authorization policy Spoke2route set local ipv4 172.16.1.5 255.255.255.255Required only if we want to terminate ASA/FTD versions pre 9.19/7.3 because they do not support IKEv2 config exchange *VTI for FTD on 6.7 r
107、oadmapcrypto ikev2 name-mangler extract-domainfqdn������� domaincrypto ikev2 name-mangler extract-hostfqdn hostnameStore it on an external AAA serverBRKSEC-3�����05870 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHub router configuration-with PBRaaa new-modelaaa authorization netwo
108、rk FlexVPN local!access-list 123 permit ip 192.168.0.0 0.0.255.255 any!route-map FW permit 10match ip address 123set ip ne�����xt-hop 172.16.254.254!crypto ikev2 profile routermat������ch identity remote fqdn domain router authentication remote pre-share key cisco authentication local pre-share key ciscoaaa au
109、thorization group psk list FlexVP�����N name-manglerextract-domain virtual-tem���plate 1 mode auto!crypto ikev2 profile firewallmatch identity remote fqdn domain firewall authentication remote pre-share key cisco authentication local pre-share key ciscoaaa authorization group psk list FlexVPN name-manglerex
110、tract-domain virtual-template 1 mode autono config-exchange requestinterface Virtual-Template1 type tunnelip unnumbered Lo�������opback1ip policy���� route-map FWtunnel protection ipsec profile default!router bgp 65000bgp listen range 172.16.1.0/24 peer-group Flexbgp listen limit 10000timers bgp 5 15neighbor F
111、lex peer-groupneighbor Fle������x remote-as 65000!address-family ipv4redistribute connecte����dneighbor Flex activateneighbor Flex route-reflector-clientneighbor Flex next-hop-self allexit-address-familyPBRiBGP with listen rangeSeparate IKEv2 profiles for routers and firewallsBRKSEC-305871 2023 Cisco and/or i
112、ts affiliates.All rights reserved.Cisco Public#CiscoLiveInterfa��������ce and routing verification(IOS Only!)Hub1#show derived-config interface Virtual-Access 1Building configuration.Derived configuration:197 bytes!interface Virtual-Access1 ip unnu�����mbered Loopback1ip policy route-map FWtunnel source GigabitE
113、thernet2 tunnel destination 10.0.0.1 tunnel protection ipse�����c profile default no tunnel protection ipsec initiateSpoke1#show ip routeS 172.16.1.254/32 is directly connected,Tunnel1S 172.��������16.1.253/32 is directly connected,Tunnel2B192.168.0.0/16 200/0 via 172.16.1.254,00:07:27Spoke1Spoke1192.168.101.0/2
114、4Hub1Hub1VirtualVirt������ual-Access1Access1172.16.1.253/32Tunnel1Tunnel1172.16.1.1/32Derived from the Virtual-Template(show command not available on ASA/FTD)10.0.0.25410.0.0.1Hub1#show ip routeS 172.16.1.1/32 is directly connected,Virtual-Access1B192.168.101.0/24 200/0 via 172.16.1.1,00:25:06BRKSEC-30587
115、2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface and routing verificationHub����1#show derived-config interface Virtual-Access 1Building configuration.Derived configuration:197 bytes!int������erface Virtual-Access1 ip unnumbered Loopback1ip policy route-map FWtunnel sourc
116、e GigabitEthernet2 tunnel destination 10.0.0.1 tunnel prot�����ection ipsec profile default no tunnel protection ipsec initiateSpoke1#show ip routeS 172.16.1.254/32 is directly connecte���d,Tunnel1S 172.16.1.253/32 is directly connected,Tunnel2B192.168.0.0/16 200/0 via 172.16.1.254,00:07:27Spoke1Spoke1192.1
117、68.101.0/24Hub1Hub1VirtualVirtual-Access1Access1172.16.1.253/32Tunnel1Tunnel1172.16.1.1/32Derived from the Virtual-Template(show command not available on ASA�������/FTD)10.0.0.25410.0.0.1Hub1#show ip routeS 172.16.1.1/32 is directly connected,Virtual-Access1B192.168.101.0/24 200/0 via 172.16.1.1,00:25:06BR
118、KSEC-305873 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface and routing verificationHub1#show derived-config interface Virtual-Access 1Building configuration.Derived configur��������ation:197 bytes!interface Virtual-Access1 ip unnumbered Loopback1ip policy route-map FWtu
119、nnel source GigabitEthernet2 tunnel destination 10.0.0.1 tunnel prot��������ection ipsec profile default no tunnel protection ipsec initiateSpoke1#show ip routeS 172.16.1.254/32 is directly connected,Tunnel1S 172.16.1.253/32 is directly connected,Tunnel2B192.168.0.0/16 200/0 via 172.16.1.254,00:07:27Spoke1S
120、poke1192.168.101.0/24Hub1Hub1VirtualVirtual-Access1Access1172.16.1.253/32Tunnel1Tunnel1172.16.1.1/32Derived from the Virtual-Template(show command not availa�������ble on ASA/FTD)10.0.0.25410.0.0.1Hub1#show ip routeS 172.16.1.1/32 is directly con������nected,Virtual-Access1B192.168.101.0/24 200/0 via 172.16.1.1,
121、00:25:06BRKSEC-305874 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface and routing verificationHub1#show de��������rived-config interface Virtual-Access 1Building configuration.Interface Virtual-A�����ccess1 diagnostic_dynamic_vti_1_va9,is up,line protocol is upHardware is Vir
122、tual AccessMAC address N/A,MTU 1445IP address 1.1.1.1,subnet mask 255.255.255.255Vaccess Interface ������Information:Source IP address:38.146.3.81Vaccess cloned from template 1Mode:ipsec ipv4IPsec profile:FMC_IPSEC_PROFILE_1 IPsec MTU Overhead:55 Spoke1#show ip routeS 172.16.1.254/32 is directly connected
123、,Tunnel1S 172.16.1.253/32 is directly connected,Tunnel2B192.168.0.0/16 200/0 via 172.16.1.254,00:07:27Spoke1Spoke1192.168.101.0/24Hub1Hub1VirtualVirtual-Access1Access1172.16.1.253/32Tunnel1Tunnel1172.16.1.1/32Derived from the Virtual-Template(show command not available on ASA/FTD)10.0.0.25410.0.0������.1Hub1#show ip routeS 172.16.1.1/32 is directly connected,Virtual-Access1B192.168.101.0/24 200/0 via 172.16.1.1,00:25:06BRKSEC-305875
sgpjbg002
工作日 8:30 - 17:30
报告分类
