Configure Tunnels Automatically with Cisco ASA and CDO

Cisco Defense Orchestrator (CDO) is a cloud-based security policy and device manager designed to unify policies across your Cisco firewalls. You can use CDO to deploy and manage IPsec tunnels to Umbrella.

Table of Contents


  • Cisco ASA (v9.1.2+) device with a static public IP (NAT and/or dynamic IPs not supported).
  • Cisco Umbrella SIG Essentials, SIG Advanced or SIG Add-On subscription, or a free SIG trial.
  • Cisco ASA Base or Security Plus license to establish an IPsec tunnel.
  • Cisco Defense Orchestrator license. For more information, see Licenses.
  • Legacy Umbrella Management API key and secret. For information about how to create legacy Umbrella API Management credentials, see Add Umbrella Legacy API Keys.

Onboard an Umbrella Organization

For full instructions, see Onboard an Umbrella Organization.

View Tunnels from Umbrella to CDO

ASA network tunnels created by CDO contain a View in CDO link in the Umbrella dashboard that automatically takes you to the appropriate CDO tenant.

  1. In Umbrella, navigate to Deployments > Core Identities > Network Tunnels and find an ASA network tunnel created in CDO.
  2. Click the action menu and select View in CDO in the drop-down menu. You are redirected to the tunnel in the CDO dashboard.

A corresponding cross-launch feature is available in CDO to automatically bring you to your Cisco Umbrella dashboard for managing tunnels and policies.

Configure IKEv2 IPsec Tunnel with Umbrella < Configure Tunnels Automatically with Cisco ASA and CDO > Configure Tunnels with Cisco Secure Firewall