Cisco ASA and Firebox BOVPN Virtual Interface Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) virtual interface connection between a WatchGuard Firebox and a Cisco Adaptive Security Appliance (ASA).

Topology

This diagram shows the topology for a BOVPN virtual interface connection between a Firebox and a Cisco ASA.

Configure the Firebox

On the Firebox, configure a BOVPN virtual interface connection:

1. Log in to Fireware Web UI.
2. Select VPN > BOVPN Virtual Interfaces.
   The BOVPN Virtual Interfaces configuration page opens.
3. Click Add.
4. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
   
7. In the Credential Method section, select Use Pre-Shared Key.
8. In the adjacent text box, type the pre-shared key.

9. In the Gateway Endpoint section, click Add.
   The Gateway Endpoint Settings dialog box opens.
10. From the Physical drop-down list, select External.
11. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
12. Select By IP Address.
13. In the adjacent text box, type the primary IP address of the External Firebox interface.
    

14. Select the Remote Gateway tab.
15. Select Static IP Address.
16. In the adjacent text box, type the IP address of your Cisco ASA WAN connection.
17. Select By IP Address.
18. In the adjacent text box, type the IP address of your Cisco ASA WAN connection.
    

19. Click OK.
20. In the Gateway Endpoint section, select Start Phase 1 tunnel when it is inactive.
21. Select Add this tunnel to the BOVPN-Allow policies.

22. Select the VPN Routes tab.
23. Click Add.
24. From the Choose Type drop-down list, select Network IPv4.
25. In the Route To text box, type the Network IP address of a route that will use this virtual interface.

26. Click OK.
27. Select the Assign virtual interface IP addresses (required for dynamic routing) check box.
28. In the Local IP address and Peer IP address or netmask text boxes, type the virtual interface IP addresses.

29. Select the Phase 1 Settings tab.
30. From the Version drop-down list, select IKEv2.
31. Keep all other Phase 1 settings as the default values.

32. Keep all other Phase 2 settings as the default values.

33. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, see BOVPN Virtual Interfaces

Configure the Cisco ASA

In our example, we configure a Cisco ASA 5506-X.

To configure the basic settings:

1. Log in to the ASA 5506-X with Cisco Adaptive Security Device Manager (ASDM). The default IP address is 192.168.1.1.
2. Configure the ASA 5506-X interfaces. For information about how to configure interfaces, see the Cisco ASA 5506-X documentation.
3. Select the Enable traffic between two or more interfaces which are configured with same security levels check box.
4. Click Apply.

Next, configure the IPSec VPN settings:

1. Click Configuration.
2. Select Site-to-Site VPN > Advanced > IKE policies.
3. In the IKEv2 Policies section, click Add.
4. In the Priority text box, type 1.
5. From the D-H Group drop-down list, select 14.
6. From the Encryption drop-down list, select aes-256.
7. From the Integrity Hash drop-down list, select sha256.
8. From the Pseudo Random Function (PRF) Hash drop-down list, select sha256.
9. Keep the default value for all other settings.

10. Click OK.
11. Click Apply.

12. Select Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets).
13. In the IKE v2 IPsec Proposals section, click Add.
14. In the Name text box, type an object name. In our example, we specify the name AES256-SHA256.
15. From the Encryption drop-down list, select aes-256.
16. From the Integrity Hash drop-down list, select sha-256.

17. Click OK.
18. In the IPsec Profile section, click Add.
19. In the Name text box, type the IPSec profile name. In our example, we specify the name Profile.
20. In the IKE v2 IPsec Proposal text box, type the proposal.
21. Select PFS Settings and select group14.

22. Click OK.
23. Click Apply.

24. Select Configuration > Firewall > Objects > Network Objects/Groups.
25. Click Add > Network Object.
26. In the Name text box, type the object name. In our example, we specify the name VTI-network.
27. From the Type drop-down list, select Network.
28. For IP Version, select IPv4.
29. In the IP Address text box, type the IP address. In our example, we specify the IP address 10.0.11.0.
30. In the Netmask text box, type the netmask. In our example, we specify the netmask 255.255.255.0.

31. Click OK.
32. Repeat Steps 25–31 to create other network objects.
33. Click Apply.

34. Select Configuration > Site-to-Site VPN > Connection Profiles.
35. In the Connection Profiles section, click Add.
36. In the Peer IP Address text box, type the peer IP address.
37. From the Interface drop-down list, select outside.
38. From the Local Network list, select internal-network/24.
39. From the Remote Network list, select wg-network.
40. In the IPsec Enabling section, click Manage.
41. Click Add.
42. In the Name text box, type the name. In our example, we specify the name GroupPolicy1.
43. In the Tunneling Protocols section, clear the Inherit check box and select IPsec IKEv2.

44. Click OK > OK.
45. Select Local Pre-shared Key.
46. In the adjacent text box, type the pre-shared key.
47. In the Remote Peer Pre-shared Key text box, type the pre-shared key.

48. For the IKE Policy setting, keep the default value.
49. From the IPsec Proposal list, select AES256-SHA256.

50. For the Advanced settings, select Advanced > Crypto Map Entry.
51. For Perfect Forward Secrecy, select Enable.
52. From the Diffie-Hellman Group drop-down list, select group14.
53. Keep all other settings as the default values.

54. Click OK.
55. Click Apply.

Next, configure the VTI interface settings:

1. Click Configuration.
2. Select Device Setup > Interface Settings > Interfaces.
3. Click Add > VTI Interface.
4. In the VTI ID text box, type the VTI ID.
5. In the Interface Name text box, type the interface name.
6. Select Enable Interface.
7. In the IP Address text box, type the IP address.
8. In the Subnet Mask drop-down list, select 255.255.255.0.
   

9. Select the Advanced tab.
10. In the Destination IP text box, type the destination IP address.
11. From the Source Interface drop-down list, select outside.
12. From the Tunnel Protection with Ipsec Profile drop-down list, select Profile.
13. Select the Enable Tunnel Mode IPv4 Ipsec check box.

14. Click OK.
15. Click Apply.

Finally, configure the routing settings:

1. Select Configuration > Device Setup > Routing > Static Routes.
2. Click Add.
3. Select IPv4.
4. From the Interface drop-down list, select VTI.
5. From the Network drop-down list, select wg-network.
6. In the Gateway IP text box, type the gateway IP address.
7. For all other settings, keep the default values.

8. Click OK.
9. Click Apply.

Test the Integration

To test the integration, from Fireware Web UI:

1. Select System Status > VPN Statistics.
2. Select the Branch Office VPN tab and verify the VPN is established.

3. Verify that Host1 (behind the Firebox) and Host2 (behind the Cisco ASA) can ping each other.