Introduction
This document describes how to configure Secure Access with Sophos XG Firewall.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Sophos XG Firewall
- Secure Access
- Cisco Secure Client - VPN
- Cisco Secure Client - ZTNA
- Clientless ZTNA
Components Used
The information in this document is based on:
- Sophos XG Firewall
- Secure Access
- Cisco Secure Client - VPN
- Cisco Secure Client - ZTNA
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Secure Access - Sophos
Cisco has designed Secure Access to ensure the protection and provision of access to private applications, both on-premise and cloud-based. It also safeguards the connection from the network to the internet. This is achieved through the implementation of multiple security methods and layers, all aimed at preserving the information as they access it via the cloud.
Configure
Configure the Tunnel on Secure Access
Navigate to the admin panel of Secure Access.
Secure Access - Main Page
- Click on
Connect > Network Connections.
Secure Access - Network Connections
- Under
Network Tunnel Groups
click on + Add
.
Secure Access - Network Tunnel Groups
- Configure
Tunnel Group Name
, Region
and Device Type
.
- Click
Next
.
Secure Access - Tunnel Groups - General Settings
Note: Choose the region nearest to the location of your firewall.
- Configure the
Tunnel ID Format
and Passphrase
.
- Click
Next
.
Secure Access - Tunnel Groups - Tunnel ID and Passphrase
- Configure the IP address ranges or hosts that you have configured on your network and want to pass the traffic through Secure Access.
- Click
Save
.
Secure Access - Tunnel Groups - Routing Options
After you click on Save
the information about the tunnel gets displayed, please save that information for the next step, Configure the tunnel on Sophos
.
Tunnel Data
Secure Access - Tunnel Groups - Resume of configuration
Configure the Tunnel on Sophos
Configure IPsec Profile
In order to configure the IPsec Profile, navigate to your Sophos XG Firewall.
You obtain something similar to this:
Sophos - Admin Panel
- Navigate to
Profiles
- Click on
IPsec Profiles
and after that click onAdd
Sophos - IPsec Profiles
Under General Settings
configure:
Name
: A reference name to the Cisco Secure Access Policy
Key Exchange
: IKEv2
Authentication Mode
: Main Mode
Key Negotiation Tries
: 0
Re-Key connection
: Check the option
Sophos - IPsec Profiles - General Settings
Under Phase 1
configure:
Key Life
: 28800
DH group(key group)
: Select 19 and 20
Encryption
: AES256
Authentication
: SHA2 256
Re-key margin
: 360 (Default)
Randomize re-keying margin by
: 50 (Default)
Sophos - IPsec Profiles - Phase 1
Under Phase 2
configure:
PFS group (DH group)
: Same as phase-I
Key life
: 3600
Encryption
: AES 256
Authentication
: SHA2 256
Sophos - IPsec Profiles - Phase 2
Under Dead Peer Detection
configure:
Dead Peer Detection
: Check the option
Check peer after every
: 10
Wait for response up to
: 120 (Default)
When peer unreachable
: Re-initiate (Default)
Sophos - IPsec Profiles - Dead Peer Detection
After that click on Save and proceed with the next step, Configure Site-to-site VPN
.
Configure Site-to-site VPN
To initiate the configuration of the VPN, click on Site-to-site VPN
and click on Add
.
Sophos - Site-to-site VPN
Under General Settings
configure:
Name
: A reference name to the Cisco Secure Access IPsec Policy
IP version
: IPv4
Connection type
: Tunnel interface
Gateway type
: Initiate the connection
Active on save
: Check the option
Note: The option Active on save
enables the VPN automatically after you end up configuring the site-to-site VPN.
Sophos - Site-to-site VPN - General Settings
Note: The option Tunnel interface creates a virtual tunnel interface for the Sophos XG Firewall with the name XFRM.
Under Encryption
configure:
Sophos - Site-to-site VPN - Encryption
Under Gateway Settings
configure Local Gateway
and Remote Gateway
options, use this table as a reference.
Local Gateway
|
Remote Gateway
|
Listening interface
Your Wan-Internet Interface
|
Gateway address
The public IP generated under the step, Tunnel Data
|
Local ID type Email
|
Remote ID type
IP address
|
Local ID The Email generated under the step, Tunnel Data
|
Remote ID
The public IP generated under the step, Tunnel Data
|
Local subnet Any
|
Remote Subnet
Any
|
Sophos - Site-to-site VPN - Gateway Settings
After that click on Save
, and you can see that the tunnel was created.
Sophos - Site-to-site VPN - IPsec Connections
Note: To check if the tunnel is correctly enabled on the last image you can check Connection
status, if it is green, the tunnel is connected if it is not green the tunnel is not connected.
To check if a tunnel is established navigate to Current Activities > IPsec Connections
.
Sophos - Monitor and Analyze - IPsec
Sophos - Monitor and Analyze - IPsec before and after
After that, we can continue with the step, Configure Tunnel Interface Gateway
.
Configure Tunnel Interface
Navigate to Network
and check your WAN
interface configured on the VPN to edit the virtual tunnel interface with the name xfrm
.
- Click on the
xfrm
interface.
Sophos - Network - Tunnel Interface
- Configure the interface with an IP non-routable in your network, for example, you can use 169.254.x.x/30 which is an IP in a non-routable space usually, in our example we use 169.254.0.1/30
Sophos - Network - Tunnel Interface - Configuration
Configure the Gateways
In order to configure the gateway for the virtual interface (xfrm
)
- Navigate to
Routing > Gateways
- Click
Add
Sophos - Routing - Gateways
Under Gateway host
configure:
Name
: A name that makes reference to the virtual interface created for the VPN
Gateway IP
: In our case 169.254.0.2, that is the IP under the network 169.254.0.1/30 that already we assigned under the step, Configure Tunnel Interface
Interface
: VPN Virtual Interface
Zone
: None (Default)
Sophos - Routing - Gateways - Gateway Host
- Under
Health check
disable the check
- Click
Save
Sophos - Routing - Gateways - Health-check
You can observe the status of the gateway after you save the configuration:
Sophos - Routing - Gateways - Status
Configure the SD-WAN Route
To finalize the process of configuration, you need to create the route that permits you to forward the traffic to Secure Access.
Navigate to Routing > SD-WAN routes.
Sophos - SD-Wan Routes
Under Traffic Selector
configure:
Incoming interface
: Select the interface from where you want to send the traffic or the users that access from RA-VPN, ZTNA, or Clientless-ZTNA
DSCP marking
: Nothing for this example
Source networks
: Select the address that you want to route through the tunnel
Destination networks
: Any or you can specify a destination
Services
: Any or you can specify the services
Application object
: An application if you have the object configured
User or groups
: If you want to add a specific group of users to route the traffic to Secure Access
Sophos - SD-Wan Routes - Traffic Selector
Under Link selection settings
configure the gateway:
Primary and Backup gateways
: Check the option
Primary gateway
: Select the gateway configured under the step, Configure the Gateways
- Click on
Save
Sophos - SD-Wan Routes - Traffic Selector - Primary and Backup gateways
After you finalize the configuration on the Sophos XG Firewall you can proceed with the step, Configure Private App.
Configure Private App
In order to configure the Private App access, log in to the Admin Portal.
- Navigate to
Resources > Private Resources
Secure Access - Private Resources
Secure Access - Private Resources 2
- Under
General
Configure the Private Resource Name
Secure Access - Private Resources - General
Under Communication with Secure Access Cloud
configure:
Internally reachable address (FQDN, Wildcard FQDN, IP Address, CIDR)
: Select the resource that you want to access
Protocol
: Select the protocol that you use to access that resource
Port / Ranges
: Select the ports that you need to enable to access the app
Secure Access - Private Resources - Communications with Secure Access Cloud
Within Endpoint Connection Methods
, you configure all the ways possible to access private resources via Secure Access, and choose the methods that you want to use for your environment:
Zero-trust connections
: Check the box to enable ZTNA access.
Client-based connection
: Enable the button to permit client base ZTNA
Remotely Reachable Address
: Configure the IP of your private App
Browser-based connection
: Enable the button to permit browser-based ZTNA
Public URL for this resource
: Add a name to use in conjunction with the domain ztna.sse.cisco.com
Protocol
: Choose HTTP or HTTPS as a protocol to access through the browser
VPN connections
: Check the box to enable RA-VPN Access.
- Click
Save
Secure Access - Private Resources - Communications with Secure Access Cloud 2
After the configuration is complete, this is the result:
Secure Access - Private Resources Configured
Now you can proceed with the step, Configure the Access Policy
.
Configure the Access Policy
In order to configure the access policy navigate to Secure > Access Policy
.
Secure Access - Access Policy
- Click
Add Rule > Private Access
Secure Access - Access Policy - Private Access
Configure the next options to provide access through multiple methods of authentication:
1. Specify Access
Action
: Allow
Rule name
: Specify a name for your access rule
From
: The users that you grant access to
To
: The application that you wanted to permit access
Endpoint Requirements
: (Default)
- Click
Next
Secure Access - Access Policy - Specify Access
Note: For step 2. Configure Security
as needed, but in this case, you did not enable the Intrusion Prevention (IPS)
, or Tenant Control Profile
.
- Click
Save
, and you have:
Secure Access - Access Policy Configured
After that, you can proceed with the step Verify
.
Verify
In order to verify the access you must have installed the agent of Cisco Secure Client that you can download from Software Download - Cisco Secure Client.
RA-VPN
Login through Cisco Secure Client Agent-VPN.
Secure Client - VPN
- Authenticate through your SSO provider
Secure Access - VPN - SSO
- After you get authenticated, access to the resource:
Secure Access - VPN - Authenticated
Navigate to Monitor > Activity Search
:
Secure Access - Activity Search - RA-VPN
You are able to see the user was allowed to authenticate through RA-VPN.
Client-Base ZTNA
Login through Cisco Secure Client Agent - ZTNA.
Secure Client - ZTNA
- Enroll with your username.
Secure Client - ZTNA - Enroll
- Authenticate in your SSO Provider
Secure Client - ZTNA - SSO Login
- After you get authenticated, access to the resource:
Secure Access - ZTNA - Logged
Navigate to Monitor > Activity Search
:
Secure Access - Activity Search - ZTNA Client-Based
You are able to see the user was allowed to authenticate through client-based ZTNA.
Browser-based ZTNA
In order to get the URL, you need to go to Resources > Private Resources
.
Secure Access - Private Resource
Secure Access - Private Resource - SplunkSophos
Secure Access - Private Resource - Scroll Down
- You find Browser-based ZTNA
Secure Access - Private Resource - Browser-Based ZTNA URL
- Copy the URL put it on the browser and press enter, it redirects you to the SSO
Browser-Based ZTNA
- After you log in, you gain access to your device through browser-based ZTNA
Browser-Based - ZTNA - Logged
- Navigate to
Monitor > Activity Search
:
Secure Access - Activity Search - ZTNA Browser-Based
You are able to see the user was allowed to authenticate through browser-based ZTNA.
Related Information