browse
Overview
This article describes the steps to reconfigure Cloud Delivered Firewall Tunnel's authentication mechanism from RSA to PSK on Cisco ASA.
Outline
Step 1: Verify you have an existing tunnel using RSA authentication
Step 2: Register ASA's public IP
Step 3: Create new ASA tunnel
Step 4: Create new tunnel-group
Step 5: Locate the IPSec profile used for the tunnel interface
Step 6: Remove old trustpoint from IPSec profile
Step 7: Update tunnel interface with new Umbrella headend IP
Step 8: Confirm new tunnel configuration successfully establishes
Step 9 (Optional): Remove the old tunnel-group
Step 10 (Optional): Remove old trustpoint
Step 11 (Optional): Delete old network tunnel
Step 12: Update web policies with new tunnel identity
Details
Step 1: Verify you have an existing tunnel using RSA authentication
Verify that you have an existing tunnel using RSA authentication and that the status of the tunnel in the ASA is showing connected with this authentication type.
In the Umbrella dashboard you will find the Network tunnel with the ASA showing a Device authentication finger print.
In the Cisco ASA you can run the commands
show crypto ikev2 sa
and
show crypto ipsec sa
to verify the authentication type and headend IP being used for the tunnel.
Step 2: Register ASA's public IP
Make sure you have your public IP used by the ASA outside interface registered as a Network in the Umbrella dashboard. If the Network doesn’t exist then proceed to add it and confirm the public IP used by the ASA interface. The Network object used for this tunnel must be defined with a /32 subnet mask.
Step 3: Create new ASA tunnel
In the Umbrella dashboard under “Deployments/Network tunnels”, create a new tunnel by clicking the Add option.
Select the Tunnel ID based on the Network that matches with the public IP of your ASA outside interface and setup a passphrase for the PSK authentication.
Step 4: Create new tunnel-group
On the ASA create a new tunnel-group using the new headend IP for Umbrella and specify the passphrase define in the Umbrella dashboard for the PSK authentication.
The updated list of Umbrella data centers and IPs for the headends can be found in the following link
https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/cisco-umbrella-data-centers
tunnel-group <UMB DC IP address .8> type ipsec-l2l
tunnel-group <UMB DC IP address .8> general-attributes
default-group-policy umbrella-policy
tunnel-group <UMB DC IP address .8> ipsec-attributes
peer-id-validate nocheck
ikev2 local-authentication pre-shared-key 0 <passphrase>
ikev2 remote-authentication pre-shared-key 0 <passphrase>
Step 5: Locate the IPSec profile used for the tunnel interface
Search for the “crypto ipsec profile” that is being used in the tunnel interface for the route-based configuration to Umbrella headend.
show run interface tunnel#
(# is replace with the ID used for the tunnel interface to Umbrella)
If you are not sure about the tunnel ID, then you can use the command
show run interface tunnel
to verify existing tunnel interfaces and determine which is the one used for the Umbrella tunnel-based configuration.
Step 6: Remove old trustpoint from IPSec profile
Remove the trustpoint from your IPSec profile which reference the RSA authentication for the tunnel. You can verify the configuration by using the command
show crypto ipsec
Proceed to remove the trustpoint with the following commands:
crypto ipsec profile <profile name>
no set trustpoint umbrella-trustpoint
Confirm that the trustpoint was remove from the crypto ipsec profile
Step 7: Update tunnel interface with new Umbrella headend IP
Replace the destination of the tunnel interface to the new Umbrella headend IP address terminating in .8.
You can use the command
show run interface tunnel
to verify the current destination, so it is replaced with the IP from the new Data Center IP address ranges, which can be found in the following article.
https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/cisco-umbrella-data-centers
Interface tunnel#
No tunnel destination <UMBRELLA DC IP address.2>
Tunnel destination <UMBRELLA DC IP address .8>
Confirm the change with the command:
show run interface tunnel#
Step 8: Confirm new tunnel configuration successfully establishes
Confirm that the tunnel connection to Umbrella was re-establish correctly with the updated headend IP and using the PSK authentication.
show crypto ikev2 sa
show crypto ipsec sa
Step 9 (Optional): Remove the old tunnel-group
Remove the old tunnel-group that was pointing to the previous Umbrella headend IP range .2.
The command
show run tunnel-group
can be used to identify the correct tunnel before removing the configuration.
Remote any reference of the old tunnel group using the following command
clear config tunnel-group <UMB DC IP address .2>
Step 10 (Optional): Remove old trustpoint
Remove any reference of the trustpoint used previously with the Umbrella tunnel-based configuration.
The friendly name used for the trustpoint can be found when we review the “crypto ipsec profile”
You can run the following command to confirm the trustpoint configuration. Make sure the friendly name matches with the configuration used in the crypto ipsec profile command.
To get more details about the certificate use the command,
show crypto ca certificate <trustpoint-name>
Remove the trustpoint with the command
no crypto ca trustpoint <trustpoint-name>
Step 11 (Optional): Delete old network tunnel
Delete the old network tunnel from the Umbrella dashboard.
Step 12: Update web policies with new tunnel identity
Confirm your web policies have the updated identity with the new network tunnel.