Connecting to a Cisco ASA
This article describes how to connect and configure a single Cisco ASA firewall with firmware version 9.8.1 or later to connect to Pureport via a Route Based BGP VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.
Prerequisites
Before connecting to a Cisco ASA, you must have a Pureport Route-Based BGP VPN Connection using IKEv2. See "Connecting to a Site VPN - Route-Based with BGP" for details.
You must also gather the following information:
- The Encryption, Integrity, and DH Group mechanisms from the Pureport Console.
- Primary Pureport Gateway IP
- Secondary Pureport Gateway IP
- Primary Gateway Pre-shared Key
- Secondary Gateway Pre-shared Key
- Primary Gateway BGP password
- Secondary Gateway BGP Password
- The Primary Gateway Customer VTI IP in CIDR format.
- The Primary Gateway Pureport VTI IP
- The Secondary Gateway Customer VTI IP in CIDR format.
- The Secondary Gateway Pureport VTI IP
- Pureport ASN
- Customer ASN
You can find this information in your Site IPSec VPN connections, as shown here:
![]() | ![]() | ![]() |
Example Configuration
This example builds an HA IPSEC VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Cisco support portal.
Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment.
- Create a Pureport compatible IKE Crypto Policythat supports Pureport's crypto set:
crypto ikev2 enable 'outside'
group-policy Pureport internal
group-policy Pureport attributes
vpn-tunnel-protocol ikev2
crypto isakmp identity address
crypto ikev2 policy 200
group 14
encryption aes-192 aes-256 aes
integrity sha256 sha384 sha512
prf sha384 sha256 sha512
exit
- Create the Primary Tunnel Group and Pre-shared Key:
tunnel-group <Pureport Primary Gateway IP> type ipsec-l2l
tunnel-group <Pureport Primary Gateway IP> general-attributes
default-group-policy Pureport
tunnel-group <Pureport Primary Gateway IP> ipsec-attributes
ikev2 local-authentication pre-shared-key <Primary pre-shared key>
ikev2 remote-authentication pre-shared-key <Primary pre-shared key>
isakmp keepalive threshold 10 retry 2
- Create the IPSec transform set that defines encryption, authentication, and IPSec mode parameters:
crypto ipsec ikev2 ipsec-proposal Pureport
protocol esp encryption aes-192 aes aes-256
protocol esp integrity sha-512 sha-256 sha-384
crypto ipsec profile PureportProfile
set ikev2 ipsec-proposal Pureport
set pfs group14
exit
- Configure Tunnel #1 interface:
interface Tunnel1
nameif Tunnel-int-pureport-0
ip address 169.254.1.1 255.255.255.252
tunnel source interface 'outside'
tunnel destination <Pureport Primary Gateway IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile PureportProfile
no shutdown
exit
- Create a route-map to be applied to your primary connection
route-map PRIMARY permit 10
set metric 100
- Configure BGP on Tunnel #1, applying the route-maps we created above:
router bgp <Customer ASN>
bgp log-neighbor-changes
bgp bestpath compare-routerid
bgp graceful-restart
address-family ipv4 unicast
neighbor <Primary Pureport VTI IP> remote-as <Pureport ASN>
neighbor <Primary Pureport VTI IP> timers 10 30 30
neighbor <Primary Pureport VTI IP> password <BGP Primary password>
neighbor <Primary Pureport VTI IP> activate
neighbor <Primary Pureport VTI IP> next-hop-self
no neighbor <Primary Pureport VTI IP> default-originate
neighbor <Primary Pureport VTI IP> route-map PRIMARY out
network <Your local network> mask <Your network subnet mask>
no auto-summary
no synchronization
exit-address-family
- Create the Secondary Tunnel Group and Pre-shared Key:
tunnel-group <Pureport Secondary Gateway IP> type ipsec-l2l
tunnel-group <Pureport Secondary Gateway IP> general-attributes
default-group-policy Pureport
tunnel-group <Pureport Secondary Gateway IP> ipsec-attributes
ikev2 local-authentication pre-shared-key <Secondary pre-shared key>
ikev2 remote-authentication pre-shared-key <Secondary pre-shared key>
isakmp keepalive threshold 10 retry 2
- If you didn't do this in Step 3, create an IPSec transform set that defines encryption, authentication, and IPSec mode parameters for Tunnel#2:
crypto ipsec ikev2 ipsec-proposal Pureport
protocol esp encryption aes-192 aes aes-256
protocol esp integrity sha-512 sha-256 sha-384
crypto ipsec profile PureportProfile
set ikev2 ipsec-proposal Pureport
set pfs group14
exit
- Configure Tunnel #2 interface:
interface Tunnel2
nameif Tunnel-int-pureport-1
ip address 169.254.2.1 255.255.255.252
tunnel source interface 'outside'
tunnel destination <Secondary Pureport Gateway IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile PureportProfile
no shutdown
exit
- Because the Cisco ASA is not capable of automatically failing over VTI tunnels, we will use the route-map functionality to prefer the Primary VTI. Return traffic is also preferred down the Primary VTI by pre-pending the local Customer ASN to the Secondary VTI AS path, creating a longer (less preferred) AS path and setting the route metric to a less preferred value. This is done both inbound and outbound BGP.
route-map BACKUP permit 10
set metric 200
set as-path prepend last-as 1
- Configure BGP on Tunnel #2:
router bgp 65000
bgp log-neighbor-changes
bgp bestpath compare-routerid
bgp graceful-restart
address-family ipv4 unicast
neighbor <Secondary Pureport VTI IP> remote-as <Pureport ASN>
neighbor <Secondary Pureport VTI IP> timers 10 30 30
neighbor <Secondary Pureport VTI IP> password <BGP Secondary password>
neighbor <Secondary Pureport VTI IP> activate
neighbor <Secondary Pureport VTI IP> next-hop-self
no neighbor <Secondary Pureport VTI IP> default-originate
neighbor <Secondary Pureport VTI IP> route-map BACKUP out
network <Your local network> mask <Your network subnet mask>
no auto-summary
no synchronization
exit-address-family
Testing IPSEC VPN Tunnel Connectivity
When using BGP, the routing table will automatically update if one of the tunnels disconnect.
- To verify BGP peering is established, check the route table from or via the CLI with this command:
show route bgp
The system displays the current BGP routes in the ASA route table. Note that the Primary VTI is preferred. - To see all BGP routes, use:
show bgp - To confirm that your tunnels have successfully established connection to your Pureport Gateways, from a system in your local network, ping the Primary Pureport VTI IP address. A successful ping will transmit all packets with no losses.For example, in the previous sample, the Pureport VTI IPs are:
- 169.254.1.2
- 169.254.2.2
To ping the the Primary Gateway Pureport VTI, use:ping 169.254.1.2