Contents

Related Topics

Set up a VPN from a Firebox to a Cisco ASA Device

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This document tells you how to define a manual BOVPN tunnel between a Firebox and a Cisco ASA (8.6(1)2) device. Before you create a BOVPN tunnel, you must collect the IP addresses from each endpoint and agree on the common tunnel settings to use.

This topic does not give detailed information on what the different BOVPN settings mean, or the effects those settings can have on the tunnel that is built. If you want to know more about a particular setting, use these resources:

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

VPN Configuration Summary

For reference purposes, here is a summary of the VPN configuration defaults for the Cisco ASA device, with emphasis on any settings that do not match the default VPN configuration settings in Fireware v11.12.4.

In Fireware v12.0 and higher, the default BOVPN security settings are different. To determine whether those settings are compatible with your Cisco device, see the documentation for your Cisco device.

VPN Settings WatchGuard Device Default (v11.12.4) Cisco ASA Device Default (8.6(1)2) Matched?
Phase 1 Settings
IKE Exchange Mode Main Main + IKEv2 N
Authentication SHA1 * See below Y
Encryption 3DES * See below Y
Diffie-Hellman Group 2 2 Y
Phase 2 Settings
Perfect Forward Secrecy No Yes N
Protocol ESP ESP Y
Authentication SHA1 * See below Y
Encryption AES (256-bit) * See below N

* For both Phase 1 and Phase 2, the Cisco ASA has a wide variety of proposals. The default settings for your Firebox will match one of the proposals, but if you do not remove the other proposals from the Cisco configuration the Firebox might create log messages during VPN negotiations that indicate failure, even when the VPN is successfully established.

In most VPN configurations, you can leave the tunnel timeout values for Phase 1 and 2 at their default values, as long as all other settings match. In some cases, VPN negotiations with Cisco ASA devices will fail when the Firebox is the initiator. For this reason, you might want to set the timeout value in the Cisco ASA VPN configuration to a lower value than the default timeout on the Firebox.

Collect IP Address and Tunnel Settings

To create a manual BOVPN tunnel, the first thing you must do is collect the IP addresses and decide the settings that the endpoints will use.

Before you can configure a branch office VPN, you must collect the public IP addresses of each device, and the IP addresses of the private networks you want to connect. You must also choose the Phase 1 and Phase 2 settings to use for the VPN. This procedure describes how to configure a Firebox with the Phase 1 and Phase 2 settings that match the default settings on a Cisco device.

For example, the IP address settings you collect could look like this:

WatchGuard Firebox:

External interface IP address: 203.0.113.2

Trusted network IP address: 10.0.1.0/24

Cisco ASA device:

External interface IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

Configure the WatchGuard Device

On the Firebox you add a VPN gateway, and add a VPN tunnel that uses that gateway.

Add the VPN Gateway

To add the VPN Gateway, from Fireware Web UI:Closed
  1. Select VPN > Branch Office VPN.
  2. Below the Gateways list, click Add.
    The Gateway settings page appears.
  3. Select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters. It must match the key used on the Cisco device.
  4. Below the Gateway Endpoint list, click Add.
    The Gateway Endpoint Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box, Local Gateway tab

  1. From the External Interface drop-down list, select the external interface that has the public IP address.
  2. Select By IP Address. Type the external (public) IP address for the Firebox.
  3. Select the Remote Gateway tab.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. In the Specify the remote gateway IP address for a tunnel section, select Static IP Address. Type the external (public) IP address of the Cisco device.
  2. In the Specify the gateway ID for tunnel authentication section, select By IP Address. Type the public IP address of the Cisco device.
  3. Click OK to close the Gateway Endpoint Settings dialog box.
    The gateway pair you defined appears in the list of gateway endpoints.
To add the VPN Gateway, from Policy Manager:Closed
  1. In Policy Manager, select VPN > Branch Office Gateways.
  2. Click Add.
    The New Gateway dialog box appears.
  3. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  4. Select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters. It must match the key used on the Cisco device.
  5. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints settings dialog box appears.

Screen shot of the New Gateway Endpoint Settings dialog box

  1. From the External Interface drop-down list, select the external interface that has the public IP address.
  2. In the Local Gateway section, select By IP Address.
  3. From the IP Address drop-down list, select the external (public) IP address for the device.
  4. In the Specify the remote gateway IP address for a tunnel section, select Static IP Address. Type the external (public) IP address of the Cisco device.
  5. In the Specify the gateway ID for tunnel authentication section, select By IP Address. Type the public IP address of the Cisco device.
  6. Click OK.
    The gateway endpoint pair you defined appears in the list of gateway endpoints.
  7. Click OK to add the gateway.
  8. Click Close.

Add the VPN Tunnel

To add the VPN tunnel, from Fireware Web UI:Closed
  1. Select VPN > Branch Office.
  2. Below the Tunnels list, click Add.
  3. In the Name text box, type a meaningful name for this tunnel.
  4. From the Gateway drop-down list, select the gateway you configured to the Cisco device.
  5. Below the Addresses list, click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP settings, from the Choose Type drop-down list, select Network IPv4. Type the network IP address for the local network that you want to use the VPN tunnel.
  2. In the Remote IP settings, from the from the Choose Type drop-down list, select Network IPv4. Type the network IP address for the private network on the Cisco device that you want to use the VPN tunnel.
  3. Click OK to add the tunnel route.
    The tunnel route is added to the Addresses tab of the tunnel configuration.
  4. Click Save.
    The tunnel route configuration is added to the Tunnels list.
To add the VPN tunnel, from Policy Manager:Closed
  1. In Policy Manager, select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a meaningful name for this tunnel.
  4. From the Gateway drop-down list, select the gateway you configured to the Cisco device.
  5. Click Add to add a tunnel route.
    The Tunnel Route Settings dialog box appears.
  6. In the Local text box, type the network IP address for the local network that you want to use the VPN tunnel.
  7. In the Remote text box, type the network IP address for the private network on the Cisco device that you want to use the VPN tunnel.
  8. Click OK to add the tunnel route.
    The tunnel route is added to the Addresses tab of the New Tunnel dialog box.

Screen shot of the New Tunnel dialog box with the tunnel route added

  1. Click OK to add the new tunnel to the configuration.
  2. Click Close to close the Branch Office IPSec Tunnels dialog box.
  3. Select File > Save > To Firebox to save the configuration to your device.

Configure the Cisco ASA Device

This procedure describes how to manually configure the VPN settings for the Cisco ASA device in the ASDM interface. If you prefer the terminal interface for this device, please consult Cisco product documentation for assistance.

Create Address Objects for the Cisco and WatchGuard Subnets

The Cisco device makes use of address objects for policy and VPN configuration. These address objects are very similar to aliases on a Firebox.

To create address objects in the configuration section of the ASDM interface:

  1. From the sidebar menu, select Firewall.
  2. In the Firewall menu, select Objects > Network Objects/Groups.
  3. Click Add > Network Object.
    The Add Network Object dialog box appears.

Screen shot of the Add Network Object dialog box

  1. In the Name text box, type a meaningful name for the local network behind the Firebox.
  2. From the Type drop down list, select Network.
  3. In the IP Address text box, type the subnet ID for the local network connected to the Firebox.
  4. In the Netmask text box, type the subnet mask for the local network connected to the Firebox.
  5. Click OK to complete the Network Object configuration.

If you have not already configured a Network Object for the local network connected to the Cisco ASA device, repeat these steps to create one. Use the IP address and Netmask for the local network connected to the Cisco device.

Configure a Connection Profile

In the configuration section of the ASDM interface:

  1. From the sidebar menu, select Site-to-Site VPN.
  2. Under Connection Profiles, click Add.
    The Add IPsec Site-to-Site Connection Profile dialog box appears.

Screen shot of the Add IPSec Site-to-Site Connection Profile dialog box

  1. In the Peer IP Address text box, type the public IP address of the external interface on the Firebox.
  2. From the Interface drop down list, select the external interface the VPN tunnel will use on the Cisco device.
  3. In the Local Network text box, type the network IP address of the network behind the Cisco device, or click the adjacent button to select the network object you defined for the local network.
  4. In the Remote Network text box, type the network IP address of the network behind the Firebox, or click the adjacent button to select the network object you defined for the WatchGuard network.
  5. Clear the Enable IKE v2 check box.
  6. In the Pre-shared key text box in the IKE v1 Settings tab of the IPsec Settings section, type the pre-shared key you configured for this gateway on the Firebox.
  7. In the IPsec Proposal text box, remove every entry except ESP-AES-256-SHA. This reduces the number of VPN error messages that appear in the Firebox log file.
  8. Click OK to complete the VPN configuration.

If you want to make any changes to the Advanced settings for this connection profile, click OK and then re-open the profile. Some options in the Basic section revert to their default settings if you edit the Advanced settings before you save the connection profile.

  1. Click Apply to save the changes to your running configuration.

Changes you make to the running configuration do not persist through a reboot of the Cisco device. To commit these changes to the permanent flash memory, click the Save icon at the top of the ASDM interface.

After you complete the VPN configuration on the WatchGuard and Cisco devices, a host in either network must send traffic to the remote network to initiate VPN tunnel negotiations.

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.