Skip to main content

Creating XaaS Connection (Cisco Secure Access) Resource

This page explains how to create an XaaS Connection to connect to Cisco Secure Access security service/SASE using the OCX Portal.

Connectable Services

By creating an XaaS Connection (Cisco Secure Access), you can establish a secure internet connection through Cisco Secure Access.

Notes

Preparation

Before creating an XaaS Connection resource, please confirm the following:

  • Your User Role is either admin or user permission

Procedure for Creating a XaaS Connection Resource

  1. Log in to the OCX Portal.

  2. From the navigation bar on the left, click [XaaS Connections].

  3. From the XaaS Connections list page, click [+Create], select Security Service/SASE from the menu, and choose Cisco Secure Access. ※This refers to the +Create button next to the XaaS Connections heading.

  4. You will be redirected to the XaaS Connection resource creation step. Configure the input fields as follows and click [Create].

    • Name

      • Enter any name. Using an easily identifiable name makes management easier.
      • Maximum 40 characters.
      • Whitespace characters at the beginning and end of the resource name are automatically removed.

    • Region

      • Select any region from the dropdown options. Please note that the region cannot be changed after creation.
      Region
      Tokyo
      Osaka

    • Speed (Bandwidth)

      • For XaaS Connection (Cisco Secure Access), only 1Gbps speed (bandwidth) is available.

    • Connection Destination XaaS

      • Cisco Secure Access selected in step 3 will be displayed.

    • Private IP Address

      • Enter the IPv4 address to be used as the gateway for XaaS connection in CIDR (IPv4/mask) format. (Example: 192.168.0.1/24) ※For IP addresses that cannot be used, please refer to the [Supplementary Information] section.

    • Local ASN

      • Enter the AS number to operate on the XaaS Connection. You can use 4-byte ASN. It operates as eBGP. ※For AS numbers that cannot be used, please refer to the [Supplementary Information] section. ※One or two Local ASN entries will be added to the AS-Path of routing information.

  5. A creation confirmation popup will be displayed. Please confirm the creation cost and click [Create].

  6. The XaaS Connections list page will be displayed. Once the XaaS Connections resource is created, a global IP address for IPsec tunnel configuration will be assigned. Confirm that the status next to the created resource becomes available. ※You can update the status by clicking [Refresh] in the upper right corner. ※To use XaaS Connection (Cisco Secure Access), you need to create IPsec Parameters. ※Creating and using IPsec Parameters incurs charges.

  7. To create IPsec Parameters, refer to Cisco Secure Access documentation and create a Network Tunnel Group for the IPsec tunnel on the Cisco Secure Access site. ※When creating the Network Tunnel Group, specify the parameters as follows:

    • Select "Other" for Device Type.
    • Select "IP Address" for Tunnel ID Format and enter the global IP address of the XaaS Connection in IP Address (Primary/Secondary).
    • Select "Dynamic routing" for Routing option and enter the Local ASN of the XaaS Connection.

    ※Please check the information displayed in Data for Tunnel Setup at the end of the Network Tunnel Group creation step.

    • Primary/Secondary Data Center IP Address corresponds to the IP Tunnel Endpoint of the Primary/Secondary IPsec in creating IPsec Parameters.

  8. Click the created Network Tunnel Groups from the Network Tunnel Groups list and check BGP Peer (Secure Access) IP Addresses.

This completes the creation of the XaaS Connection resource.

Remarks

For Usage

  • Since the IPsec tunnel is established between OCX and Cisco Secure Access, configuration on your CPE is not required.
  • Network Tunnel Group configuration is required on the Cisco Secure Access portal site.

Global IP Address for IPsec Tunnel Configuration

When you create an XaaS Connection resource, one global IP address is provided per tunnel for IPsec tunnel configuration. ※As stipulated in the XaaS Connection individual terms, this IP address must not be used for any purpose other than IPsec tunnel configuration. We assume no responsibility for communications resulting from use for other purposes. Additionally, if such usage is discovered, we may temporarily suspend or discontinue your use of XaaS Connection.

IP Addresses That Cannot Be Used

  • The following IPv4 address ranges cannot be used for private IP addresses.

    Address RangeNotes
    0.0.0.0/8RFC1122 this network
    127.0.0.0/8RFC1122 localhost
    192.0.0.0/24RFC5736 IETF protocol Assignments
    192.0.2.0/24RFC5737 TEST-NET-1
    192.88.99.0/24RFC7526 6to4 anycast relay
    198.18.0.0/15RFC2544 benchmarking
    198.51.100.0/24RFC5737 TEST-NET-2
    203.0.113.0/24RFC5737 TEST-NET-3
    240.0.0.0/4Multicast Address
    224.0.0.0/4Multicast Address

ASN That Cannot Be Used

  • The following AS numbers are reserved by RFC and cannot be used.
    • 0
    • 23456
    • 65535
    • 4294967295
  • The following AS numbers cannot be used as Local ASN because they will be used in IPsec Parameter configuration.
    • 32644
    • 64512