This document provides a configuration example to set up an IPv6 site to site tunnel between an ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defense) using Internet Key Exchange version 2 (IKEv2) protocol. The setup includes end to end IPv6 network connectivity with ASA and FTD as VPN terminating devices.
Cisco recommends that you have knowledge of these topics :
Fundamental knowledge of ASA CLI configuration
Fundamental knowledge of IKEv2 and IPSEC protocols
Understanding of IPv6 addressing and routing
Basic understanding of FTD configuration via FMC
The information in this document is based on a virtual environment, created from devices in a specific lab setup. All of the devices used in this document started with a cleared (default) configuration. If your network is in production, make sure that you understand the potential impact of any command.
The information in this document is based on these software and hardware versions:
Cisco ASAv running 9.6.(4)12
Cisco FTDv running 6.5.0
Cisco FMCv running 6.6.0
This section describes the configuration required on the ASA.
Step 8. Set the Crypto Map and apply it to the outside interface.
crypto map VPN 1 match address CRYPTO_ACL crypto map VPN 1 set peer 2001:cccc::1 crypto map VPN 1 set ikev2 ipsec-proposal ikev2_aes256 crypto map VPN 1 set reverse-route
crypto map VPN interface outside
This section provides instructions to configure an FTD using FMC.
Define the VPN Topology
Step 1. Navigate to Devices > VPN > Site To Site.
Select 'Add VPN' and choose 'Firepower Threat Defense Device', as shown in this image.
Step 2. 'Create New VPN Topology' box appears. Give the VPN an easily identifiable name.
Network Topology: Point to Point
IKE Version: IKEv2
In this example, when selecting endpoints Node A is the FTD. Node B is the ASA. Click on the green plus button to add devices to the topology.
Step 3. Add the FTD as the first endpoint.
Choose the interface where the crypto map is applied. The IP address should auto-populate from the device configuration.
Click the green plus icon under Protected Networks to select subnets that are encrypted via this VPN tunnel. In this example, 'Local Proxy' network object on FMC comprises of IPv6 subnet '2001:DDDD::/64'.
With the above step, the FTD endpoint configuration is complete.
Step 4. Click the green plus icon for Node B which is an ASA in the configuration example. Devices that are not managed by the FMC are considered Extranet. Add a device name and IP address.
Step 5. Select the green plus icon to add protected networks.
Step 6. Select the ASA subnets that need to be encrypted and add them to the selected networks.
'Remote Proxy' is the ASA subnet '2001:AAAA::/64' in this example.
Configure IKE Parameters
Step 1. Under the IKE tab, specify the parameters to use for the IKEv2 initial exchange. Click the green plus icon to create a new IKE policy.
Step 2. In the new IKE policy, specify a priority number as well as the lifetime of phase 1 of the connection. This guide uses these parameters for the initial exchange: Integrity (SHA256), Encryption (AES-256), PRF (SHA256), and Diffie-Hellman Group (Group 14).
All IKE policies on the device will be sent to the remote peer regardless of what is in the selected policy section. The first one the remote peer matches will be selected for the VPN connection.
[Optional] Choose which policy is sent first using the priority field. Priority 1 is sent first.
Step 3. Once the parameters have been added, select the above-configured policy, and choose the authentication type.
Select the Pre-shared Manual Key option. For this guide, the pre-shared key 'cisco123' is used.
Configure IPSEC Parameters
Step 1. Move to the IPsec tab and create a new IPsec Proposal by clicking the pencil icon to edit the transform set.
Step 2. Create a new IKEv2 IPsec Proposal by selecting the green plus icon and input the phase 2 parameters as shown below:
ESP Hash: SHA-1
ESP Encryption : AES-256
Step 3. Once the new IPsec proposal has been created, add it to the selected transform sets.
Step 4. The newly selected IPsec proposal is now listed under the IKEv2 IPsec Proposals.
If needed, the phase 2 lifetime and PFS can be edited here. For this example, the lifetime is set as default and PFS disabled.
You must either configure the below steps to Bypass Access Control or Create Access Control Policy rules to allow VPN subnets through FTD.
Bypass Access Control
If sysopt permit-vpn is not enabled then an access control policy must be created to allow the VPN traffic through the FTD device. If sysopt permit-vpn is enabled skip creating an access control policy. This configuration example uses the “Bypass Access Control” option.
The parameter sysopt permit-vpn can be enabled under the Advanced > Tunnel.
Caution: This option removes the possibility to use the Access Control Policy to inspect traffic coming from the users. VPN filters or downloadable ACLs can still be used to filter user traffic. This is a global command and applies to all VPNs if this checkbox is enabled.
Configure NAT Exemption
Configure a NAT Exemption statement for the VPN traffic. NAT exemption must be in place to prevent VPN traffic from matching another NAT statement and incorrectly translating VPN traffic.
Step 1. Navigate to Devices > NAT and create a new policy by clicking New Policy > Threat Defense NAT.
Step 2. Click on Add Rule.
Step 3. Create a new Static Manual NAT Rule.
Reference the inside and outside interfaces for the NAT rule. Specifying the interfaces at Interface Objects tab prevents these rules to affect traffic from other interfaces.
Navigate to the Translation tab and select the source and destination subnets. As this is a NAT exemption rule, ensure the original source/destination and the translated source/destination are the same.
Click the Advanced tab and enabled no-proxy-arp and route-lookup.
Save this rule and confirm the final NAT statement in the NAT list.
Step 4. Once the configuration is complete, save and deploy the configuration to the FTD.
Initiate interesting traffic from the LAN machine or you can run the below packet-tracer command on the ASA.