Cisco Secure Connect Reserved IP
What is Reserved IP?
Internet traffic exiting the Cisco Secure Connect cloud goes through a Network Address Translation (NAT) process. Each traffic flow is dynamically mapped to an IP address from shared pool of IP addresses. Note that private application traffic transiting through Secure Connect cloud between your physical or private cloud sites does not go through Secure Connect NAT process. By default, your traffic will get an IP address that is shared with other customers. Furthermore, traffic flows from your organization will not necessarily be assigned to the same address. This makes it not feasible to implement IP address-based allowlists (whitelists) with your SaaS-based applications and services.
A reserved IP address is a single-tenant IP address that is statically assigned to your internet-bound web traffic for a given data center. This provides your traffic with a unique egress source IP address not shared with other Secure Connect or Umbrella customers.
Reserved IP is an add-on feature to your Secure Connect subscription . The IP address is assigned by Cisco. Cisco is responsible for the provisioning of the service. There is no end-user configuration of this feature. To request this feature, please contact your Cisco representative.
Guidelines for Implementation
With Reserved IP, there are a few implementation guidelines to note.
1. A reserved IP addressed is assigned to single data center. Customers must order a minimum of 2 IP addresses, one for the primary data center and one for the secondary DC in a data center pair. All of the Secure Connect Data Centers are supported pending approval.
3. To ensure consistent operations in a failover scenario, the same policies should be configured for both Reserved IP addresses.
4. Currently, Reserved IP does not support Anycast routing. Anycast routing is an IP network addressing scheme that allows multiple servers to share the same IP address. This enables multiple physical destination servers to be logically identified by a single IP address. By default, the Cisco Secure Client VPN client application will use Anycast to select the closest Secure Connect data center. If that data center does not have a Reserved IP address, then the client's internet bound traffic will be mapped to an IP address out of the shared pool. The workaround is to have the end-user manually select a data center where a Reserved IP address has been provisioned, or during Remote Access configuration admin should only select the data centers with Reserved IP address provisioned.
5. Only web traffic (HTTP and HTTPS) going through the Secure Web Gateway (SWG) will egress via Reserved IP.
Guidelines for Testing and Troubleshooting
When testing Reserved IP, the activity reporting capabilities in the Umbrella dashboard, as well as third-party websites can be used to verify that your traffic is using the Reserved IP address issued to you.
Umbrella Reporting Tools
The Umbrella dashboard has the capability to show you immense details of your internet bound traffic including the egress source IP address. Below are the steps to access that information.
- Accessing the Umbrella Activity Search page:
- From the Secure Connect dashboard go to Secure Connect > Overview > click on total requests in top right of Security card.
- From the Umbrella Dashboard go to Reports > Core Reports > Activity Search
- If you are using multiple data centers, you may want to filter on a specific data center. To do that, from the Activity Search page, click on Advanced pull down menu option in the search window.
- Under Umbrella Egress Data Center select data center(s) with Reserved IP address(es).
- From here, you have the option to view the egress source IP address for a single event in the dashboard or export the report to view a series events to a CSV file.
Viewing a Single Event
- In the Activity Search table, click More Actions “...” at the end of any row and select View Full Details.
- Scroll down the Full Details panel to “Umbrella Egress IP Address”. This should be Reserved IP address for that data center. For a Reserved IP address, there will be a notation next to the IP address indicating it is a Reserved IP address.
Viewing Multiple Events
- Due to the possibility of substantial amounts of entries, it is recommend that you limit the time range. In the top right corner click on “LAST 24 HOURS” and select “Custom range...”. Select desired time range.
- In the top right corner click on “Export CSV”.
- Download the file and open it on your device.
- Below is a example of the CSV view in Microsoft Excel. The IP address(es) in the column “Umbrella Egress IP Address” should be your Reserved IP address(es) for selected data center(s). (See the "Exceptions" section below to understand when the Reserved IP address is not used.) Unlike with the single event view, there is no field that indicates the egress address is a Reserved IP address.
Exceptions
Sites and Services Excluded from Reserved IP
Not all traffic will use the Reserved IP address for various technical reason. Below is a partial list of domains and services that will not use a reserved IP address.
- :Microsoft domains
- update.microsoft.com
- windowsupdate.com
- wustat.windows.com
- download.microsoft.com
- ntservicepack.microsoft.com
- Select domains from the following services:
- Apple
- Cisco Duo
- Cisco Webex
- Invafresh (formerly Invatron)
- Skype
- Trellix (legacy FireEye subnets)
Resources
You can find more information on Reserved IP at:
- Umbrella Reserved IP Documentation- https://docs.umbrella.com/umbrella-user-guide/docs/reserved-ip
- Umbrella Reserved IP Supplemental terms - https://docs.umbrella.com/umbrella-user-guide/docs/reserved-ip-terms