Cisco ASA and Firebox Branch Office VPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Cisco Adaptive Security Appliance (ASA).

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55W
    • Fireware version 12.5.2 or higher
  • Cisco ASA 5506-X
    • ASDM v7.13(1)
    • ASA v9.13(1)

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Cisco ASA.

The topology for this integration

Configure the Firebox

On the Firebox, configure a BOVPN connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screen shot of the General settings tab

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screen shot of the gateway endpoint settings for the local gateway

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Cisco ASA WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Cisco ASA WAN connection.

Screen shot of the Gateway Endpoint settings

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.

Screen shot of the General Settings tab

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screen shot of the Phase 1 settings

  1. Click Save.
  2. In the Tunnels section, click Add.

Screen shot of the Gateways and Tunnels lists

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screen shot of the Addresses tab

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This the local network protected by the Cisco ASA.

Screen shot of the tunnel route settings

  1. Click OK.

Screen shot of the Addresses tab

  1. Keep Phase 2 Settings as the default values.
  2. Click Save.

Configure the Cisco ASA

In our example, we configure a Cisco ASA 5506-X.

To configure the basic settings:

  1. Log in to the ASA 5506-X with ASDM. The default IP address is 192.168.1.1.
  2. Configure the ASA 5506-X interfaces. For information about how to configure interfaces, see the Cisco ASA 5506-X documentation.
  3. Select the Enable traffic between two or more interfaces which are configured with same security levels check box.
  4. Click Apply.
  5. Screen shot of the Cisco configuration

Next, configure the IPSec VPN settings:

  1. Click Configuration.
  2. Select Site-to-Site VPN > Advanced > IKE policies.
  3. In the IKEv2 Policies section, click Add.
  4. In the Priority text box, type 1.
  5. From the D-H Group drop-down list, select 14.
  6. From the Encryption drop-down list, select aes-256.
  7. From the Integrity Hash drop-down list, select sha256.
  8. From the Pseudo Random Function (PRF) Hash drop-down list, select sha256.
  9. Keep the default value for all other settings.
  10. Screen shot of the IKEv2 policy

  11. Click OK.
  12. Click Apply.
  13. Screen shot of IKE policies

  14. Select Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets).
  15. In the IKEv2 IPsec Proposals section, click Add.
  16. In the Name text box, type a object name. In our example, we specify the name AES256-SHA256.
  17. From the Encryption drop-down list, select aes-256.
  18. From the Integrity Hash drop-down list, select sha-256.
  19. Screen shot of the IPSec proposal

  20. Click OK.
  21. Click Apply.
  22. From the navigation menu, select Configuration > Firewall > Objects > Network Objects/Groups.
  23. Click Add > Network Object.
  24. In the Name text box, type the object name. In our example, we specify the name wg-network.
  25. From the Type drop-down list, select Network.
  26. From the IP Version check box, check IPv4.
  27. In the IP Address text box, type the IP address. In our example, we specify the IP address 10.0.11.0.
  28. In the Netmask text box, type the netmask. In our example, we specify the netmask 255.255.255.0.
  29. Screen shot of network objects

  30. Click OK.
  31. Repeat Steps 20–26 to create other network objects.
  32. Screen shot of network objects and groups

  33. Select Configuration > Site-to-Site VPN > Connection Profiles.
  34. In the Connection Profiles section, click Add.
  35. In the Peer IP Address text box, type the peer IP address.
  36. From the Interface drop-down list, select outside.
  37. From the Local Network list, select internal-network/24.
  38. From the Remote Network list, select wg_network.
  39. In the IPsec Enabling section, click Manage.
  40. Click Add.
  41. In the Name text box, type the name. In our example, we specify the name GroupPolicy1.
  42. In the Tunneling Protocols section, clear the Inherit check box and select IPsec IKEv2.
  43. Screen shot of the internal group policy

  44. Click OK > OK.
  45. Select Local Pre-shared Key.
  46. In the adjacent text box, type the pre-shared key.
  47. In the Remote Peer Pre-shared Key text box, type the pre-shared key.
  48. For the IKE Policy setting, keep the default values.
  49. From the IPsec Proposal list, select AES256-SHA256.
  50. Screen shot of the IPSec site-to-site connection profile1

    Screen shot of the IPSec site-to-site connection profile2

  51. For the Advanced settings, select Advanced > Crypto Map Entry.
  52. In the Perfect Forward Secrecy section, select Enable.
  53. From the Diffie-Hellman Group drop-down list, select group14.
  54. Clear the NAT-T check box.
  55. In the Pre-shared Key (for IKEv2) text box, type the pre-shared key. Keep all other settings as the default values.
  56. Screen shot of the crypto map entry

  57. For the Advanced >Tunnel group settings, keep the default values.
  58. Screen shot of the tunnel group

  59. Click OK.
  60. Click Apply.
  61. Screen shot of connection profiles

  62. From the navigation menu, select Configuration > Firewall > NAT Rules.
  63. Click Add.
  64. In the Match Criteria: Original Packet section, from the Source Interface drop-down list, select internal.
  65. From the Source Address drop-down list, select cisco_connection.
  66. From the Destination Interface drop-down list, select outside.
  67. From the Destination Address drop-down list, select wg_connection.
  68. In the Action: Translated Packet section, from the Source Address drop-down list, select cisco_connection.
  69. In the Action: Translated Packet section, from the Destination Interface drop-down list, select wg_connection.
  70. Keep all other settings as the default values.
  71. Screen shot of the NAT rule

  72. Click OK.
  73. Click Yes.
  74. Click Apply.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab and verify the VPN is established.
  3. Screen shot of the VPN data

  4. Verify that Host1 (behind the Firebox) and Host2 (behind the Cisco ASA) can ping each other.