Cisco Cisco Firepower Management Center 4000
11-10
FireSIGHT System User Guide
Chapter 11 Using Gateway VPNs
Managing VPN Deployments
Note that VPN endpoints cannot have the same IP address and that protected networks in a VPN
endpoint pair cannot overlap. If a list of protected networks for an endpoint contains one or more
IPv4 or IPv6 entry, the other endpoint's protected network must have at least one entry of the same
type (i.e., IPv4 or IPv6). If it does not, then the other endpoint's IP address must be of the same type
and must not overlap with the entries in the protected network. (Use /32 CIDR address blocks for
IPv4 and /128 CIDR address blocks for IPv6). If both of these checks fail, the endpoint pair is
invalid.
endpoint pair cannot overlap. If a list of protected networks for an endpoint contains one or more
IPv4 or IPv6 entry, the other endpoint's protected network must have at least one entry of the same
type (i.e., IPv4 or IPv6). If it does not, then the other endpoint's IP address must be of the same type
and must not overlap with the entries in the protected network. (Use /32 CIDR address blocks for
IPv4 and /128 CIDR address blocks for IPv6). If both of these checks fail, the endpoint pair is
invalid.
Internal IP
Select the check box if the endpoint resides behind a firewall with network address translation.
Public IP
If you selected
Internal IP
, specify a public IP address for the firewall. If the endpoint is a responder,
you must specify this value.
Public IKE Port
If you selected
Internal IP
, specify a single numerical value from 1 to 65535 for the UDP port on the
firewall that is being port-forwarded to the internal endpoint. If the endpoint is a responder and the
port on the firewall being forwarded is not 500 or 4500, you must specify this value.
port on the firewall being forwarded is not 500 or 4500, you must specify this value.
Tip
To edit an existing star deployment, click the edit icon (
) next to the deployment. You cannot edit the
deployment type after you initially save the deployment. To change the deployment type, you must delete
the deployment and create a new one. Two users should not edit the same deployment simultaneously;
however, note that the web interface does not prevent simultaneous editing.
the deployment and create a new one. Two users should not edit the same deployment simultaneously;
however, note that the web interface does not prevent simultaneous editing.
To configure a star deployment:
Access:
Admin/Network Admin
Step 1
Select
Devices > VPN
.
The VPN page appears
Step 2
Click
Add
.
The Create New VPN Deployment pop-up window appears.
Step 3
Give the deployment a unique
Name
.
You can use all printable characters, including spaces and special characters.
Step 4
Click
Star
to specify the
Type
.
Step 5
Give the deployment a unique
Pre-shared Key
.
Step 6
Next to
Hub Node
, click the add icon (
).
The Add Hub Node pop-up window appears.
Step 7
Configure the VPN deployment, as described earlier in this section.
Step 8
Next to
Protected Networks
, click the add icon (
).
The Add Network pop-up window appears.
Step 9
Type an IP address for the protected network.
Step 10
Click
OK
.
The protected network is added.