Set up a VPN from a Firebox to a Cisco ASA Device

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This document tells you how to define a manual BOVPN tunnel between a Firebox and a Cisco ASA (8.6(1)2) device. Before you create a BOVPN tunnel, you must collect the IP addresses from each endpoint and agree on the common tunnel settings to use.

This topic does not give detailed information on what the different BOVPN settings mean, or the effects those settings can have on the tunnel that is built. If you want to know more about a particular setting, use these resources:

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

VPN Configuration Summary

For reference purposes, here is a summary of the VPN configuration defaults for the Cisco ASA device, with emphasis on any settings that do not match the default VPN configuration settings in Fireware XTM.

VPN Settings WatchGuard Device Default Cisco ASA Device Default Matched?
Phase 1 Settings
IKE Exchange Mode Main Main + IKEv2 N
Authentication SHA1 * See below Y
Encryption 3DES * See below Y
Diffie-Hellman Group 2 2 Y
Phase 2 Settings
Perfect Forward Secrecy No Yes N
Protocol ESP ESP Y
Authentication SHA1 * See below Y
Encryption AES (256-bit) * See below N

* On both Phase 1 and Phase 2, the Cisco ASA has a wide variety of proposals. The default settings for your Firebox will match one of the proposals, but if you do not remove the other proposals from the Cisco configuration the Firebox might create log messages during VPN negotiations that indicate failure, even when the VPN is successfully established.

In most VPN configurations, you can leave the tunnel timeout values for Phase 1 and 2 at their default values, as long as all other settings match. In some cases, VPN negotiations with Cisco ASA devices will fail when the Firebox is the initiator. For this reason, you might want to set the timeout value in the Cisco ASA VPN configuration to a lower value than the default timeout on the Firebox.

Collect IP Address and Tunnel Settings

To create a manual BOVPN tunnel, the first thing you must do is collect the IP addresses and decide the settings that the endpoints will use.

Before you can configure a branch office VPN, you must collect the public IP addresses of each device, and the IP addresses of the private networks you want to connect. You must also choose the Phase 1 and Phase 2 settings to use for the VPN. This procedure describes how to configure a Firebox with the Phase 1 and Phase 2 settings that match the default settings on a Cisco device.

For example, the IP address settings you collect could look like this:

WatchGuard Firebox:

External interface IP address: 203.0.113.2

Trusted network IP address: 10.0.1.0/24

Cisco ASA device:

External interface IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

Configure the WatchGuard Device

On the Firebox you add a VPN gateway, and add a VPN tunnel that uses that gateway.

Add the VPN Gateway

Add the VPN Tunnel

Configure the Cisco ASA Device

This procedure describes how to manually configure the VPN settings for the Cisco ASA device in the ASDM interface. If you prefer the terminal interface for this device, please consult Cisco product documentation for assistance.

Create address objects for the Cisco and WatchGuard subnets.

The Cisco device makes use of address objects for policy and VPN configuration. These address objects are very similar to aliases definitions on a Firebox.

To create address objects in the configuration section of the ASDM interface:

  1. From the sidebar menu, select Firewall.
  2. In the Firewall menu, select Objects > Network Objects/Groups.
  3. Click Add > Network Object.
    The Add Network Object dialog box appears.

Screen shot of the Add Network Object dialog box

  1. In the Name text box, type a meaningful name for the local network behind the Firebox.
  2. From the Type drop down list, select Network.
  3. In the IP Address text box, type the subnet ID for the local network connected to the Firebox.
  4. In the Netmask text box, type the subnet mask for the local network connected to the Firebox.
  5. Click OK to complete the Network Object configuration.

If you have not already configured a Network Object for the local network connected to the Cisco ASA device, repeat these steps to create one. Use the IP address and Netmask for the local network connected to the Cisco device.

Configure a Connection Profile

In the configuration section of the ASDM interface:

  1. From the sidebar menu, select Site-to-Site VPN.
  2. Under Connection Profiles, click Add.
    The Add IPsec Site-to-Site Connection Profile dialog box appears.

Screen shot of the Add IPSec Site-to-Site Connection Profile dialog box

  1. In the Peer IP Address text box, type the public IP address of the external interface on the Firebox.
  2. From the Interface drop down list, select the external interface the VPN tunnel will use on the Cisco device.
  3. In the Local Network text box, type the network IP address of the network behind the Cisco device, or click the adjacent button to select the network object you defined for the local network.
  4. In the Remote Network text box, type the network IP address of the network behind the Firebox, or click the adjacent button to select the network object you defined for the WatchGuard network.
  5. Clear the Enable IKE v2 check box.
  6. In the Pre-shared key text box in the IKE v1 Settings tab of the IPsec Settings section, type the pre-shared key you configured for this gateway on the Firebox.
  7. In the IPsec Proposal text box, remove every entry except ESP-AES-256-SHA. This reduces the number of VPN error messages that appear in the Firebox log file.
  8. Click OK to complete the VPN configuration.

If you want to make any changes to the Advanced settings for this connection profile, click OK and then re-open the profile. Some options in the Basic section revert to their default settings if you edit the Advanced settings before you save the connection profile.

  1. Click Apply to save the changes to your running configuration.

Changes you make to the running configuration do not persist through a reboot of the Cisco device. To commit these changes to the permanent flash memory, click the Save icon at the top of the ASDM interface.

After you complete the VPN configuration on the WatchGuard and Cisco devices, a host in either network must send traffic to the remote network to initiate VPN tunnel negotiations.

Give Us Feedback     Get Support     All Product Documentation     Technical Search