Prisma Access
Integrate Prisma Access with Cisco Catalyst SD-WAN (Manual Integration)
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrate Prisma Access with Cisco Catalyst SD-WAN (Manual Integration)
Configure the remote network between the Cisco Catalyst SD-WAN and Prisma Access by
completing the steps in the following workflows.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
You can configure the IPSec tunnel in Prisma Access before you perform the IPSec tunnel
configuration in Cisco Catalyst SD-WAN, formerly known as Viptela SD-WAN.
Cisco Catalyst SD-WAN supports the following deployment architectures for use with Prisma
Access. a dash (—) indicates that the deployment is not supported.
Use Case | Architecture | Supported? |
---|---|---|
Securing traffic from each branch site with 1 WAN link
(Type 1) | Yes | |
Securing branch and HQ sites with active/backup SD-WAN
connections | Yes | |
Securing branch and HQ sites with active/active SD-WAN
connections | Yes | |
Securing branch and HQ sites with SD-WAN edge devices in
HA mode | Yes | |
Securing SD-WAN deployments with Regional Hub/POP
architecture (Type 2) | Yes |
Before you start, get the IP address of the Cisco Catalyst SD-WAN device that you
will be using as the other side of the remote network connection; you enter this
information in your IKE Gateway profile.
Cloud Management
Cloud Management
- Choose aPrisma Access Locationthat is close to the remote network location that you want to onboard.
- When creating the IPSec tunnel, use aBranch Device TypeofOther Devices.
- SelectIPSec Advanced OptionsandCreate Newto create a new IPSec crypto profile for the remote network tunnel using the recommended settings.
- SelectIKE Advanced OptionsandCreate Newto create a new IKE cryptographic profile for the remote network tunnel.Be sure to use crypto values that are supported with Viptela and make a note of the values you use.
- Set up routing for the remote network.Set UpRouting andAddthe IP subnets for Static Routing.Choose Static Routing andAdda subnet. A /30 subnet is sufficient for a Viptela-Prisma Access SD-WAN integration, because you need only two IP addresses for this configuration:
- 10.10.10.1, which you specified as the IP address for the ge0/4 interface.
- 10.10.10.2, for which you specify a default route when you configure the remote network connection in Viptela.
- Push your configuration changes.
- Return toand selectManageService SetupRemote Networks.Push ConfigPush
- SelectRemote Networks.
- Pushyour changes.
- Make a note of theService IPof the Prisma Access side of the tunnel. To find this address inPrisma Access (Cloud Management), select, click theManageService SetupRemote NetworksRemote Networks. Look for theService IPfield corresponding to the remote network configuration you created.
- Complete configuration of the IPSec tunnel.
- Return to the IPSec tunnel configuration.
- ChangeLocal IdentificationtoIP addressand add theService IPyou just retrieved (13.1.1.1 in this example).Be sure to make a note of theService IP; you configure this as the peer IP address for the IPSec tunnel between the Viptela SD-WAN device and Prisma Access.
Create a Remote Network Connection in Viptela
Use the following steps to configure the IPSec tunnel in Viptela. The examples in
this section use command-line interface (CLI) commands.
This configuration completes the remote network connection between Prisma Access
and the Viptela SD-WAN. The following figure shows what you define in the
Viptela side:
- On the LAN side of the Viptela SD-WAN device, create a ge0/0 interface with an IP address of 10.50.50.1. This matches the IP address you specified when you configured theIKE Gatewayin Prisma Access.The Viptela SD-WAN performs NAT on the source IP address for the LAN (73.146.228.139).
- On the remote network tunnel (WAN) side, create an interface namedipsec2with a type, slot, and port of ge0/4 whose IP address is 10.10.10.1/30.This address must be within the subnet range you specified for theBranch IP Subnetwhen you onboarded your remote network in Prisma Access. In this example, the administrator specified aBranch IP Subnetof 10.10.10.0/30 in Prisma Access, and you use the other available IP address (10.10.10.1/30) on the Viptela side of the remote network connection.
- Specify atunnel-destinationIP address that matches the Prisma AccessService IP. This example uses13.1.1.1.
- Specify aloopbackIP address that Prisma Access can use for tunnel monitoring.In this example, the administrator configured aloopback100interface with an IP address of 10.1.50.1/32. This value matches theTunnel MonitorDestination IPaddress you specified in theIPSec Tunnelconfiguration that you configured in Prisma Access.
- Open a CLI session with the Viptela SD-WAN device and enter the following commands to define the control plane for the Viptela Overlay Management Protocol (OMP).The following commands enable a graceful restart for the OMP and advertise static and connected routes.omp no shutdown graceful-restart advertise connected advertise static
- Define the security types for the IPSec tunnel.The following commands enable the AH-SHA1 HMAC and ESP HMAC-SHA1 authentication types.security ipsec authentication-type sha1-hmac ah-sha1-hmac
- Configure VPNs to segment the Viptela overlay network.The following commands create a VPNVPN 0namedTransport VPNand associates thege0/4interface with this VPN. You use this interface and VPN for the Viptela SD-WAN side of the remote network tunnel (IPSec tunnel) between Viptela and Prisma Access.vpn 0 name "Transport VPN" interface ge0/4 ip dhcp-client tunnel-interface encapsulation ipsec color biz-internet allow-service all no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun
- Enter theno shutdowncommand to enable thege0/4interface.
- Create another VPN namedVPN 1, associate thege0/0interface with this VPN, then define parameters for it.The following example defines the parameters to allow the Viptela SD-WAN to route traffic from the LAN to its ge0/0 interface.vpn 1 interface ge0/0 ip address 10.50.50.1/24 no shutdown dhcp-server address-pool 10.50.50.0/24 exclude 10.50.50.1 offer-time 600 lease-time 86400 admin-state up options default-gateway 10.50.50.1 dns-servers 8.8.8.8 8.8.4.4
- Create an interface namedipsec2and apply it to thege0/4interface. These commands define the parameters for the remote network tunnel between the Viptela SD-WAN and Prisma Access.Enter the following values:
- Enter anip addressto allow the Viptela SD-WAN to route traffic to Prisma Access.This address must be within the subnet range you specified for theBranch Subnetwhen you onboarded your remote network in Prisma Access. A /30 address is sufficient to allow routing to Prisma Access.
- Specify the sametunnel-source-interfacethat you used forVPN 0(ge0/4in this example).
- Specify atunnel-destinationusing theService IPfrom Prisma Access. This example uses13.1.1.1as theService IP.
- Make sure that theikeandipsecparameters that you specify match the parameters you specified in Prisma Access.
- Enter apre-shared-secretthat matches thePre-shared key(PSK) that you entered in Prisma Access. This example uses a PSK ofsecretkey.
interface ipsec2 ip address 10.10.10.1/30 tunnel-source-interface ge0/4 tunnel-destination 13.1.1.1 ike version 1 mode main rekey 14400 cipher-suite aes128-cbc-sha1 group 2 authentication-type pre-shared-key pre-shared-secret secretkey ! ! ! ipsec rekey 3600 replay-window 512 cipher-suite aes256-cbc-sha1 - Enter theno shutdowncommand on the ipsec2 interface to enable it.
- Create a loopback interface to be used for tunnel monitoring.interface loopback100 ip address 10.1.50.1/32 no shutdown
- Create a default route for the network.This route uses the second IP address (10.10.10.2in this example) of the /30 subnet you used when you onboarded your remote network in Prisma Access. The Viptela side of the network can route to this IP address and uses it as a next hop for routing.ip route 0.0.0.0/0 10.10.10.2
- Enter a VPN and give it a name.vpn 512 name "Transport VPN"
- Apply policies for the network.policy app-visibility flow-visibility
Troubleshoot the Viptela Remote Network
To troubleshoot problems related to SD-WAN tunnels in Viptela, refer to the
Viptela documentation for configuring IPSec tunnels at the following URL: https://www.cisco.com/c/en/us/support/routers/sd-wan/tsd-products-support-series-home.html.
Prisma Access provides logs and widgets that provide you with the status of
remote tunnels and the status of each tunnel.
- Go toand check theManageService SetupRemote NetworksStatusof the tunnel.
- Go toand check theActivityLog ViewerCommon/Systemlogs for IPSec- and IKE-related messages.To view VPN-relates messages, set the filter tosub_type.value = vpn.The messageignoring unauthenticated notify payloadindicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
- Check theFirewall/Trafficlogs and view the messages that are coming from the zone that has the same name as the remote network.In the logs, the remote network name is used as the source zone.
Panorama
Panorama
You can configure the IPSec tunnel in Prisma Access before you perform the IPSec
tunnel configuration in Cisco Catalyst.
Before you start, get the IP address of the Cisco Catalyst SD-WAN device that you
will be using as the other side of the remote network connection; you enter this
information in your
IKE Gateway
profile.- In Panorama, add an IPSec crypto profile, IKE crypto profile, IKE gateway, and IPSec tunnel in theRemote_Network_Templatetemplate.
- SelectandNetworkNetwork ProfilesIPSec CryptoAddanIPSec Crypto Profile, specifying supportedEncryptionandAuthenticationsettings; then clickOK.Be sure that you have selected theRemote_Network_Templatein theTemplatesdrop-down at the top of the page.
- SelectandNetwork ProfilesIKE CryptoAddanIKE Crypto Profilespecifying supportedDH Group,Encryption, andAuthenticationsettings; then clickOK.
- SelectandNetwork ProfilesIKE GatewaysAddanIKE Gateway.
- Specify the following values in theGeneraltab:
- Select aPeer IP Address TypeofIPand enter the IP address of the Cisco Catalyst SD-WAN device that you will be using as the other side of the remote network connection as thePeer Address.
- If using a pre-shared key for the IPSec tunnel, specify aPre-shared Key.
- LeaveLocal Identificationblank, because you do not know what this address is at the time of configuration; you add this later at the end of the procedure in Step #integrate-prisma-access-with-viptela-sd-wan-panorama_step_pnj_fjm_myb.
- Specify aPeer Identificationof eitherIP AddressorUser FQDN.Be sure that you match the settings you specify here when you configure the device used to terminate the other side of the Cisco Catalyst IPSec tunnel.
- Select the following values in theAdvanced Optionstab:
- SelectEnable NAT Traversal.NAT traversal is required because the Cisco Catalyst SD-WAN uses the IP address from the LAN side of the SD-WAN device as the source interface. As a result, all traffic undergoes NAT translation on the interface used for the remote network connection (that is, the WAN side of the Cisco Catalyst SD-WAN).With the NAT Traversal option enabled, Prisma Access performs UDP encapsulation on IKE and UDP protocols, enabling them to pass through intermediate NAT devices.
- Select theIKE Crypto Profileyou created in Step #integrate-prisma-access-with-viptela-sd-wan-panorama_substep_owr_p3m_myb.
- ClickOKwhen complete.
- SelectIPSec TunnelsandAddanIPSec Tunnel, specifying theIKE GatewayandIPSec Crypto Profileyou just created.
- (Optional) SelectTunnel Monitorand specify aDestination IPaddress that can monitor reachability of the IPSec tunnel between Prisma Access and the Cisco Catalyst SD-WAN.Make a note of this address; you match this address with the loopback100 interface you assign to the Cisco Catalyst SD-WAN when you configure the remote network connection in Cisco Catalyst.
- Make a note of all IKE and IPSec settings you used in the tunnel configuration.
- Onboard your remote network connection and enter the following values:
- Specify aName,Bandwidth, andRegion.
- Select theIPSec Tunnelprofile you created in Step #integrate-prisma-access-with-viptela-sd-wan-panorama_substep_hgk_ykm_myb.
- Specify aBranch IP Subnetthat is significant to Cisco Catalyst.A /30 subnet is sufficient for a Cisco Catalyst-Prisma Access SD-WAN integration, because you need only two IP addresses for this configuration:
- 10.10.10.1, which you specified as the IP address for the ge0/4 interface.
- 10.10.10.2, for which you specify a default route when you configure the remote network connection in Cisco Catalyst.
- Commit the configuration changes to Panorama and push the configuration out to Prisma Access for remote networks.
- Click.CommitCommit to Panorama
- Click. ClickCommitCommit and Push, and select both Prisma Access for remote networks and Prisma Access for service setup to push the configuration out to the service.Edit SelectionsPrisma Access
- ClickOKandPush.
- Complete configuration of theIKE Gateway.
- Select, click thePanoramaCloud ServicesStatusNetwork DetailsRemote Networkstab, and make a note of theService IP Address.
- Selectand select theNetwork ProfilesIKE GatewaysIKE Gatewayyou specified in Step #integrate-prisma-access-with-viptela-sd-wan-panorama_substep_r5b_clm_myb.
- ChangeLocal IdentificationtoIP addressand add theService IP Addressyou just retrieved (13.1.1.1 in this example).Be sure to make a note of theService IP Address; you must configure this as the peer IP address to set up the IPSec tunnel between the Cisco Catalyst SD-WAN device and Prisma Access.
Create a Remote Network Connection in Cisco Catalyst
Use the following steps to configure the IPSec tunnel in Cisco Catalyst. The
examples in this section use command-line interface (CLI) commands.
This configuration completes the remote network connection between Prisma Access
and the Cisco Catalyst SD-WAN. The following figure shows what you define in the
Cisco Catalyst side:
- On the LAN side of the Cisco Catalyst SD-WAN device, create a ge0/0 interface with an IP address of 10.50.50.1. This matches the IP address you specified when you configured theIKE Gatewayin Prisma Access.The Cisco Catalyst SD-WAN performs NAT on the source IP address for the LAN (73.146.228.139).
- On the remote network tunnel (WAN) side, create an interface namedipsec2with a type, slot, and port of ge0/4 whose IP address is 10.10.10.1/30.This address must be within the subnet range you specified for theBranch IP Subnetwhen you onboarded your remote network in Prisma Access. In this example, the administrator specified aBranch IP Subnetof 10.10.10.0/30 in Prisma Access, and you use the other available IP address (10.10.10.1/30) on the Cisco Catalyst side of the remote network connection.
- Specify atunnel-destinationIP address that matches the Prisma AccessService IP Address. This example uses13.1.1.1.
- Specify aloopbackIP address that Prisma Access can use for tunnel monitoring.In this example, the administrator configured aloopback100interface with an IP address of 10.1.50.1/32. This value matches theTunnel MonitorDestination IPaddress you specified in theIPSec Tunnelconfiguration that you configured in Prisma Access.
- Open a CLI session with the Cisco Catalyst SD-WAN device and enter the following commands to define the control plane for the Cisco Catalyst Overlay Management Protocol (OMP).The following commands enable a graceful restart for the OMP and advertise static and connected routes.omp no shutdown graceful-restart advertise connected advertise static
- Define the security types for the IPSec tunnel.The following commands enable the AH-SHA1 HMAC and ESP HMAC-SHA1 authentication types.security ipsec authentication-type sha1-hmac ah-sha1-hmac
- Configure VPNs to segment the Cisco Catalyst overlay network.The following commands create a VPNVPN 0namedTransport VPNand associates thege0/4interface with this VPN. You use this interface and VPN for the Cisco Catalyst SD-WAN side of the remote network tunnel (IPSec tunnel) between Cisco Catalyst and Prisma Access.vpn 0 name "Transport VPN" interface ge0/4 ip dhcp-client tunnel-interface encapsulation ipsec color biz-internet allow-service all no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun
- Enter theno shutdowncommand to enable thege0/4interface.
- Create another VPN namedVPN 1, associate thege0/0interface with this VPN, then define parameters for it.The following example defines the parameters to allow the Cisco Catalyst SD-WAN to route traffic from the LAN to its ge0/0 interface.vpn 1 interface ge0/0 ip address 10.50.50.1/24 no shutdown dhcp-server address-pool 10.50.50.0/24 exclude 10.50.50.1 offer-time 600 lease-time 86400 admin-state up options default-gateway 10.50.50.1 dns-servers 8.8.8.8 8.8.4.4
- Create an interface namedipsec2and apply it to thege0/4interface. These commands define the parameters for the remote network tunnel between the Cisco Catalyst SD-WAN and Prisma Access.Enter the following values:
- Enter anip addressto allow the Cisco Catalyst SD-WAN to route traffic to Prisma Access.This address must be within the subnet range you specified for theBranch Subnetwhen you onboarded your remote network in Prisma Access. A /30 address is sufficient to allow routing to Prisma Access.
- Specify the sametunnel-source-interfacethat you used forVPN 0(ge0/4in this example).
- Specify atunnel-destinationusing theService IP Addressfrom Prisma Access. This example uses13.1.1.1as theService IP Address.
- Make sure that theikeandipsecparameters that you specify match the parameters you specified in Prisma Access.
- Enter apre-shared-secretthat matches thePre-shared key(PSK) that you entered in Prisma Access. This example uses a PSK ofsecretkey.
interface ipsec2 ip address 10.10.10.1/30 tunnel-source-interface ge0/4 tunnel-destination 13.1.1.1 ike version 1 mode main rekey 14400 cipher-suite aes128-cbc-sha1 group 2 authentication-type pre-shared-key pre-shared-secret secretkey ! ! ! ipsec rekey 3600 replay-window 512 cipher-suite aes256-cbc-sha1 - Enter theno shutdowncommand on the ipsec2 interface to enable it.
- Create a loopback interface to be used for tunnel monitoring.interface loopback100 ip address 10.1.50.1/32 no shutdown
- Create a default route for the network.This route uses the second IP address (10.10.10.2in this example) of the /30 subnet you used when you onboarded your remote network in Prisma Access. The Cisco Catalyst side of the network can route to this IP address and uses it as a next hop for routing.ip route 0.0.0.0/0 10.10.10.2
- Enter a VPN and give it a name.vpn 512 name "Transport VPN"
- Apply policies for the network.policy app-visibility flow-visibility
Troubleshoot the Cisco Catalyst Remote Network
To troubleshoot problems related to SD-WAN tunnels in Cisco Catalyst, refer to
the Cisco Catalyst documentation for configuring IPSec tunnels at the following
URL: https://www.cisco.com/c/en/us/support/routers/sd-wan/tsd-products-support-series-home.html.
To troubleshoot issues in Prisma Access, we provide logs that provide you with
the status of remote tunnels and the status of each tunnel. To view these logs
in Panorama, select .
Monitor
Logs
System
To debug tunnel issues, you can filter for tunnel-specific logs by using the
object identifier corresponding to that tunnel. The following figures show
errors related to tunnel misconfiguration and negotiation issues.