Set up a VPN from a Firebox to a Cisco ISR Device

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This document tells you how to define a manual BOVPN tunnel between a WatchGuard Firebox and a Cisco Integrated Services Router (877 DSL Modem in this example). The configuration assumes connectivity is already established between the external interfaces of each device. The Cisco device in this example is configured as a split tunnel.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

Collect IP Address and Tunnel Settings

To create a manual BOVPN tunnel, the first thing you must do is collect the IP addresses and decide the settings that the endpoints will use.

In this example, the two devices use these network settings:

Firebox:

External interface IP address: 203.0.113.2

Trusted network IP address: 192.168.20.0/24

Cisco ISR device:

External interface IP address: 198.51.100.2

Private network IP address: 192.168.1.0/24

In this example, both endpoints have static external IP addresses. For information about branch office VPNs to a device that has a dynamic external IP address, see Define Gateway Endpoints for a BOVPN Gateway.

You also need to choose what Phase 1 and Phase 2 settings to use. In this example, we use the default Phase 1 and Phase 2 VPN configuration settings on the Firebox. We then configure the VPN configuration settings on the Cisco ISR device to match the default settings on the Firebox.

Make sure that you configure the VPN endpoints correctly and that the Phase 1 and Phase 2 settings are the same on both devices. Tunnels cannot be created if the settings do not match.

Configure the WatchGuard Device

On the Firebox, you must add a VPN gateway, and add a VPN tunnel that uses that gateway.

Add the VPN Gateway

Add the Branch Office VPN Tunnel

Configure the Cisco ISR Device

Use these steps to set up the VPN gateway and tunnel on the Cisco ISR device.

  1. Log in to the Cisco CLI Enable Mode and enter configuration mode (conf t).
  2. If necessary, modify access-lists used for NAT, to prevent translation of VPN traffic:

Router(config)#ip access-list extended NAT_ACL

Router(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255

Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any

Router(config-ext-nacl)#end

Router#conf t

Router(config)#ip nat inside source list NAT_ACL interface Dialer0 overload (replace Dialer0 with the interface connected to the Internet)

  1. Configure Phase 1 settings.

Router(config)#crypto isakmp policy 1

Router(config-isakmp)#encryption 3des

Router(config-isakmp)#group 2

Router(config-isakmp)#hash sha

Router(config-isakmp)#authentication pre-share

Router(config-isakmp)#end

Router#conf t

Router(config)#crypto isakmp key 0 Password1! address 203.0.113.2

  1. Configure Phase 2 settings.

Router(config)#crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac

Router(config)#crypto map towatchguard 1 ipsec-isakmp

Router(config-crypto-map)#description tunnel_to_watchguard

Router(config-crypto-map)#set peer 203.0.113.2

Router(config-crypto-map)#set security-association lifetime kilobytes 1280000

Router(config-crypto-map)#set security-association lifetime seconds 86400

Router(config-crypto-map)#set transform-set vpn

Router(config-crypto-map)#match address 100 (remember to create access-list 100)

Router(config-crypto-map)#reverse-route

  1. Add the access list 100:

Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255

  1. Add the VPN to the interface:

Router(config)#interface Dialer0 (replace Dialer0 with the interface connected to the Internet)

Router(config-if)#crypto map vpn

  1. Save the configuration to the Cisco (write mem)

Troubleshoot the VPN Tunnel

To troubleshoot VPN connectivity from the Cisco device, use these commands in the Cisco CLI:

Router#clear crypto sessions (Resets the SA manually)

Router#debug crypto isakmp

Router#debug crypto ipsec

To troubleshoot the VPN tunnel from the Firebox, you can run the VPN Diagnostic Report.

For more information, see Use the VPN Diagnostic Report

Give Us Feedback     Get Support     All Product Documentation     Technical Search