Cisco Cisco Firepower Management Center 4000
11-12
FireSIGHT System User Guide
Chapter 11 Using Gateway VPNs
Managing VPN Deployments
IP Address
–
If you selected a managed device as an endpoint, select an IP address that is assigned to the
selected routed interface.
selected routed interface.
–
If the managed device is a device cluster, you can only select from a list SFRP IP addresses.
–
If you selected a managed device not managed by the Defense Center, specify an IP address for
the endpoint.
the endpoint.
Protected Networks
Specify the networks in your deployment that are encrypted. Enter a subnet with CIDR block for
each network. IKE version 1 only supports a single protected network.
each network. IKE version 1 only supports a single protected network.
Note that VPN endpoints cannot have the same IP address and that protected networks in a VPN
endpoint pair cannot overlap. If a list of protected networks for an endpoint contains one or more
IPv4 or IPv6 entry, the other endpoint's protected network must have at least one entry of the same
type (i.e., IPv4 or IPv6). If it does not, then the other endpoint's IP address must be of the same type
and must not overlap with the entries in the protected network. (Use /32 CIDR address blocks for
IPv4 and /128 CIDR address blocks for IPv6). If both of these checks fail, the endpoint pair is
invalid.
endpoint pair cannot overlap. If a list of protected networks for an endpoint contains one or more
IPv4 or IPv6 entry, the other endpoint's protected network must have at least one entry of the same
type (i.e., IPv4 or IPv6). If it does not, then the other endpoint's IP address must be of the same type
and must not overlap with the entries in the protected network. (Use /32 CIDR address blocks for
IPv4 and /128 CIDR address blocks for IPv6). If both of these checks fail, the endpoint pair is
invalid.
Internal IP
Select the check box if the endpoint resides behind a firewall with network address translation.
Public IP
If you selected
Internal IP
, specify a public IP address for the firewall. If the endpoint is a responder,
you must specify this value.
Public IKE Port
If you selected
Internal IP
, specify a single numerical value from 1 to 65535 for the UDP port on the
firewall that is being port-forwarded to the internal endpoint. If the endpoint is a responder and the
port on the firewall being forwarded is not 500 or 4500, you must specify this value.
port on the firewall being forwarded is not 500 or 4500, you must specify this value.
Tip
To edit an existing mesh deployment, click the edit icon (
) next to the deployment. You cannot edit
the deployment type after you initially save the deployment. To change the deployment type, you must
delete the deployment and create a new one. Two users should not edit the same deployment
simultaneously; however, note that the web interface does not prevent simultaneous editing.
delete the deployment and create a new one. Two users should not edit the same deployment
simultaneously; however, note that the web interface does not prevent simultaneous editing.
To configure a mesh VPN deployment:
Access:
Admin/Network Admin
Step 1
Select
Devices > VPN
.
The VPN page appears
Step 2
Click
Add
.
The Create New VPN Deployment pop-up window appears.
Step 3
Give the deployment a unique
Name
.
You can use all printable characters, including spaces and special characters.
Step 4
Click
Mesh
to specify the
Type
.