Cisco Firepower

You can establish a Site-to-Site VPN tunnel between your Harmony SASE and the Cisco Firepower device.

Pre-requisites

• Harmony SASE Administrator Portal account and a configured network.

• Make sure that you have installed the Harmony SASE Agent on your device.

• Active and licensed Cisco Firepower device with necessary administrative permissions.

Configuring IPsec Tunnel

To configure an IPsec tunnel, do these:

1. Log in to the Harmony SASE Administrator Portal.

2. Click Networks.

3. Select the network from which you want to create the tunnel to the Cisco Firepower.

4. Click and select Add Tunnel.

   

5. Select IPSec Site-2-Site Tunnel and click Continue.

   

6. Select Single Tunnel and click Continue.

   

7. In the General Settings section:

   1. In the Name field, enter a name for the tunnel.

   2. In the Shared Secret field, enter a string or click Generate.

   3. In the Public IP field, enter the public IP of the Firepower device.

   4. In the Remote ID field, enter the remote ID of the Firepower device (this is same as Public IP unless the device is behind a NAT, then use the IP of the outside interface on the Firepower).

   5. In the Harmony SASE Gateway Proposal Subnets section, leave the default value, Any (0.0.0.0/0).

   6. In the Remote Gateway Proposal Subnets section, leave the default value, Any (0.0.0.0/0).

   

8. In the Advanced Settings section, specify these:

   • IKE Version: IKEv2

   • IKE Lifetime: 8h

   • Tunnel Lifetime: 1h

   • Dead Peer Detection Delay: 10s

   • Dead Peer Detection Timeout: 30s

   • Encryption (Phase 1): aes256

   • Encryption (Phase 2): aes256

   • Integrity (Phase 1): sha256

   • Integrity (Phase 2): sha256

   • Diffie-Hellman Groups (Phase 1): 14

   • Diffie-Hellman Groups (Phase 2): 14

   

9. On your network, click and select Routes Table.

   

10. Click Add Route.

    The Add Route window appears.

    

11. Verify the values entered in these:

    1. Tunnel

    2. Subnet

12. Click Add Route.

13. Click Apply Configuration.

    

Configuring the Tunnel in Cisco Firepower

1. Login to your Cisco Firepower web console.

2. Select your device.

   

3. Go to Site-to-Site VPN configuration and click View Configuration.

   

4. Click to create a Site-to-Site Connection.

   

5. Specify these:

   

   1. In the Connection Profile Name field, enter a name for your connection.

   2. In the Type section, select Route Based (VTI).

   3. Expand Local VPN Access Interface, and click Create new Virtual Tunnel Interface.

      

   The Create Virtual Tunnel Interface window appears.

6. Enter a name for your VTI adapter, for example, harmony_sase_vti.

7. Turn on the Status toggle button.

8. Enter a tunnel ID.

9. Set the source to your outside interface.

10. Set the IP and Subnet Mask to 169.254.2.122 / 255.255.255.252

11. Click OK.

12. From the Create Virtual Tunnel Interface list, select the newly created VTI object.

13. In the Remote IP Address field, enter your Harmony SASE gateway IP address (found in your Harmony SASE Admin Panel).

14. Click Next.

    

15. Make sure IKE VERSION 2 is enabled.

16. In the IKE Policy section, for Globally applied, click Edit.

17. Create a new policy with the settings that match the Phase 1 settings on the Harmony SASE side. Specify these:

    

    • Priority

    • Name

    • State - Enable

    • Encryption: AES256

    • Diffie-Hellman Group: 14

    • Integrity Hash: SHA256

    • Pseudo Random Function (PRF) Hash: SHA256

    • Lifetime: 28800

18. Click OK.

19. Click Edit by IPSec Proposal.

    

20. Click Create new IPSec Proposal.

21. Specify these:

    1. Name

    2. Encryption: AES256

    3. Integrity Hash: SHA256

    Note - Select the Encryption and Integrity Hash to match the Harmony SASE side for Phase 2.

22. Click OK.
    

23. In the Authentication Type section, select Pre-shared Manual Key.

    

24. In the Local Pre-shared Key and Remote Peer Pre-shared Key fields, enter the Pre-shared Key that you created on the Harmony SASE portal.

25. In the Lifetime Duration field, enter 3600.

26. In the Diffie-Hellman Group for Perfect Forward Secrecy field, enter 14.

27. Click Next.

28. Click Finish.

29. Click to deploy changes to apply the new tunnel.

    

Configuring the Static Route in the Cisco Firepower

1. Select your device.

   

2. In the Routing section, click View Configuration.

   

3. Click to add a new static route.

   

   The Add Static Route window appears.

   

4. In the Name field, enter a name for your static route.

5. In the Description field, enter a description.

6. From the Interface list, select the interface you created in Configuring the Tunnel in the Cisco Firepower step 6.

7. In the Networks section, click .

8. Click Create new Network.

   The Add Network Object window appears.

   

9. Specify these:

   • Name

   • Description

   • Type - Network

   • Network - 10.255.0.0/16 (default)

10. Click OK.

11. In the Networks section, click .

12. Select the object you just created.

13. In the Gateway section, click Create new Network Object.

    

    The Add Network Object window appears.

14. Specify these:

    

    1. Name. For example, harmony_sase_vti_gateway

    2. Description

    3. Type - Host

    4. Network - 169.254.2.121 (this is the corresponding side of your VTI adapter)

15. Click OK.

    

    The new route is added.

16. Click to deploy changes to apply the new route.

    

Configuring Firepower Policies Allowing Traffic Flow

To configure Cisco Firepower policies to allow traffic to flow:

1. Go to Policies and click to add a new access rule.

   

2. Configure either 1 bidirectional rule or 2 unidirectional rules.

   For example: Creating a single bidirectional rule.

   1. Enter an order number. Make sure this rule is not after a block rule that affects this traffic.

   2. Enter a title. For example, harmony_sase_allow.

   3. Set your Source zones and Networks.

   4. Add an entry for inside_zone and outside_zone.

   5. Add a network entry for your harmony_sase_network object.

   6. Repeat the same for the Destination.

3. Click OK.

   

   Once you add the rule, the table should display:

   

4. Click to deploy changes to apply the new route.