Cisco Cisco Firepower Management Center 4000
11-7
FireSIGHT System User Guide
Chapter 11 Using Gateway VPNs
Managing VPN Deployments
Name
Give the deployment a unique name.
Type
Click
PTP
to specify that you are configuring a point-to-point deployment.
Pre-shared Key
Define a unique pre-shared key for authentication. The system uses this key for all the VPNs in your
deployment, unless you specify a pre-shared key for each endpoint pair.
deployment, unless you specify a pre-shared key for each endpoint pair.
Device
You can select a managed device, including a device stack or cluster, as an endpoint for your
deployment. For Cisco managed devices not managed by the Defense Center you are using, select
deployment. For Cisco managed devices not managed by the Defense Center you are using, select
Other
and then specify an IP address for the endpoint.
Virtual Router
If you selected a managed device as your endpoint, select a virtual router that is currently applied
to the selected device. You cannot select the same virtual router for more than one endpoint.
to the selected device. You cannot select the same virtual router for more than one endpoint.
Interface
If you selected a managed device as your endpoint, select a routed interface that is assigned to the
selected virtual router.
selected virtual router.
IP Address
–
If you selected a managed device as an endpoint, select an IP address that is assigned to the
selected routed interface.
selected routed interface.
–
If the managed device is a device cluster, you can only select from a list SFRP IP addresses.
–
If you selected a managed device not managed by the Defense Center, specify an IP address for
the endpoint.
the endpoint.
Protected Networks
Specify the networks in your deployment that are encrypted. Enter a subnet with CIDR block for
each network. IKE version 1 only supports a single protected network.
each network. IKE version 1 only supports a single protected network.
Note that VPN endpoints cannot have the same IP address and that protected networks in a VPN
endpoint pair cannot overlap. If a list of protected networks for an endpoint contains one or more
IPv4 or IPv6 entry, the other endpoint's protected network must have at least one entry of the same
type (i.e., IPv4 or IPv6). If it does not, then the other endpoint's IP address must be of the same type
and must not overlap with the entries in the protected network. (Use /32 CIDR address blocks for
IPv4 and /128 CIDR address blocks for IPv6). If both of these checks fail, the endpoint pair is
invalid.
endpoint pair cannot overlap. If a list of protected networks for an endpoint contains one or more
IPv4 or IPv6 entry, the other endpoint's protected network must have at least one entry of the same
type (i.e., IPv4 or IPv6). If it does not, then the other endpoint's IP address must be of the same type
and must not overlap with the entries in the protected network. (Use /32 CIDR address blocks for
IPv4 and /128 CIDR address blocks for IPv6). If both of these checks fail, the endpoint pair is
invalid.
Internal IP
Select the check box if the endpoint resides behind a firewall with network address translation.
Public IP
If you selected
Internal IP
, specify a public IP address for the firewall. If the endpoint is a responder,
you must specify this value.