Cisco ASA and Firebox Branch Office VPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Cisco Adaptive Security Appliance (ASA).

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55W
    • Fireware v12.7.1 or higher
  • Cisco ASA 5506-X
    • ASDM v7.15 (1) 150
    • ASA v9.15 (1) 16

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Cisco ASA.

The topology for this integration

Configure the Firebox

On the Firebox, configure a BOVPN connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screenshot of Firebox, new diagram1

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screenshot of Firebox, new diagram2

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Cisco ASA WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Cisco ASA WAN connection.

Screenshot of Firebox, new diagram3

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.

Screenshot of Firebox, new diagram4

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screenshot of Firebox, new diagram5

  1. Click Save.
  2. In the Tunnels section, click Add.

Screenshot of Firebox, new diagram6

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screenshot of Firebox, new diagram7

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This the local network protected by the Cisco ASA.

Screenshot of Firebox, new diagram8

  1. Click OK.
  2. Keep Phase 2 Settings as the default values.

Screenshot of Firebox, new diagram9

  1. Click Save.

Configure the Cisco ASA

In our example, we configure a Cisco ASA 5506-X.

To configure the basic settings:

  1. Log in to the ASA 5506-X with ASDM. The default IP address is 192.168.1.1.
  2. Configure the ASA 5506-X interfaces. For information about how to configure interfaces, see the Cisco ASA 5506-X documentation.
  3. Select the Enable traffic between two or more interfaces which are configured with same security levels check box.
  4. Click Apply.

Screenshot of Cisco, new diagram1

Next, configure the IPSec VPN settings:

  1. Click Configuration.
  2. Select Site-to-Site VPN > Advanced > IKE policies.
  3. In the IKEv2 Policies section, click Add.
  4. In the Priority text box, type 1.
  5. From the D-H Group drop-down list, select 14.
  6. From the Encryption drop-down list, select aes-256.
  7. From the Integrity Hash drop-down list, select sha256.
  8. From the Pseudo Random Function (PRF) Hash drop-down list, select sha256.
  9. Keep the default value for all other settings.

Screenshot of Cisco, new diagram2

  1. Click OK.
  2. Click Apply.

Screenshot of Cisco, new diagram3

  1. Select Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets).
  2. In the IKEv2 IPsec Proposals section, click Add.
  3. In the Name text box, type an object name. In our example, we specify the name AES256-SHA256.
  4. From the Encryption drop-down list, select aes-256.
  5. From the Integrity Hash drop-down list, select sha-256.

Screenshot of Cisco, new diagram4

  1. Click OK.
  2. Click Apply.
  3. From the navigation menu, select Configuration > Firewall > Objects > Network Objects/Groups.
  4. Click Add > Network Object.
  5. In the Name text box, type the object name. In our example, we specify the name wg-network.
  6. From the Type drop-down list, select Network.
  7. From the IP Version check box, check IPv4.
  8. In the IP Address text box, type the IP address. In our example, we specify the IP address 192.168.35.0.
  9. In the Netmask text box, type the netmask. In our example, we specify the netmask 255.255.255.0.

Screenshot of Cisco, new diagram5

  1. Click OK.
  2. Repeat Steps 20–26 to create other network objects.

Screenshot of Cisco, new diagram6

  1. Click Apply.
  2. Select Configuration > Site-to-Site VPN > Connection Profiles.
  3. In the Connection Profiles section, click Add.
  4. In the Peer IP Address text box, type the peer IP address.
  5. From the Interface drop-down list, select outside.
  6. From the Local Network list, select internal-network/24.
  7. From the Remote Network list, select wg-network.
  8. In the IPsec Enabling section, click Manage.
  9. Click Add.
  10. In the Name text box, type the name. In our example, we specify the name GroupPolicy1.
  11. In the Tunneling Protocols section, clear the Inherit check box and select IPsec IKEv2.

Screenshot of Cisco, new diagram7

  1. Click OK > OK.
  2. Select Local Pre-shared Key.
  3. In the adjacent text box, type the pre-shared key.
  4. In the Remote Peer Pre-shared Key text box, type the pre-shared key.

Screenshot of Cisco, new diagram8

  1. For the IKE Policy setting, keep the default value.
  2. From the IPsec Proposal list, select AES256-SHA256.

Screenshot of Cisco, new diagram9

  1. For the Advanced settings, select Advanced > Crypto Map Entry.
  2. In the Perfect Forward Secrecy section, select Enable.
  3. From the Diffie-Hellman Group drop-down list, select group14.
  4. Keep all other settings as the default values.

Screenshot of Cisco, new diagram10

  1. Click OK.
  2. In the Enable interfaces for IPsec access section, select the outside interface and select Allow IKE v2 Access.
  3. Click Apply.

Screenshot of Cisco, new diagram11

  1. From the navigation menu, select Configuration > Firewall > NAT Rules.
  2. Click Add.
  3. In the Match Criteria: Original Packet section, from the Source Interface drop-down list, select internal.
  4. From the Source Address drop-down list, select cisco-network.
  5. From the Destination Interface drop-down list, select outside.
  6. From the Destination Address drop-down list, select wg-network.
  7. Select the Disable Proxy ARP on egress interface check box.
  8. Select the Lookup route table to locate egress interface check box.
  9. Keep all other settings as the default values.

Screenshot of Cisco, new diagram12

  1. Click OK.
  2. Click Apply.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab and verify the VPN is established.

Screenshot of Firebox, new diagram10

  1. Verify that Host1 (behind the Firebox) and Host2 (behind the Cisco ASA) can ping each other.