Cisco ASA and Firebox BOVPN Virtual Interface Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) virtual interface connection between a WatchGuard Firebox and a Cisco Adaptive Security Appliance (ASA).

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55W
    • Fireware version 12.5.2 or higher
  • Cisco ASA 5506-X
    • ASDM v7.13(1)
    • ASA v9.13(1)

Topology

This diagram shows the topology for a BOVPN virtual interface connection between a Firebox and a Cisco ASA.

Topology diagram

Configure the Firebox

On the Firebox, configure a BOVPN virtual interface connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page appears.
  3. Click Add.
  4. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key.
  8. In the adjacent text box, type the pre-shared key.
  9. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.

Screen shot of the Gateway Settings

  1. From the Physical drop-down list, select External.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  3. Select By IP Address.
  4. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screen shot of the local gateway

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Cisco ASA WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Cisco ASA WAN connection.

Screen shot of the remote gateway

  1. Click OK.
  2. In the Gateway Endpoint section, select Start Phase 1 tunnel when it is inactive.
  3. Select Add this tunnel to the BOVPN-Allow policies.

Screen shot of the Gateway Settings

  1. Select the VPN Routes tab.
  2. Click Add.
  3. From the Choose Type drop-down list, select Network IPv4.
  4. In the Route To text box, type the Network IP address of a route that will use this virtual interface.

Screen shot of the VPN Route settings

  1. Click OK.
  2. Check the Assign virtual interface IP addresses (required for dynamic routing) check box.
  3. In the Local IP address text box, type the IP address.
  4. In the Peer IP address or netmask text box, type the IP address or netmask.

Screen shot of the VPN Routes

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screen shot of the Phase 1 settings

  1. Keep all other Phase 2 settings as the default values.
  2. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, see BOVPN Virtual Interfaces

Configure the Cisco ASA

In our example, we configure a Cisco ASA 5506-X.

To configure the basic settings:

  1. Log in to ASA 5506-X with ASDM. The default IP address is 192.168.1.1.
  2. Configure the ASA 5506-X interfaces. For information about how to configure interfaces, see the Cisco ASA 5506-X documentation.
  3. Select the Enable traffic between two or more interfaces which are configured with same security levels check box.
  4. Click Apply.

Screen shot of the Cisco configuration

Next, configure the IPSec VPN settings:

  1. Click Configuration.
  2. Select Site-to-Site VPN > Advanced > IKE policies.
  3. In the IKEv2 Policies section, click Add.
  4. In the Priority text box, type 1.
  5. From the D-H Group drop-down list, select 14.
  6. From the Encryption drop-down list, select aes-256.
  7. From the Integrity Hash drop-down list, select sha256.
  8. From the Pseudo Random Function (PRF) Hash drop-down list, select sha256.
  9. Keep the default value for all other settings.

Screen shot of the Cisco IKEv2 policy

  1. Click OK.
  2. Click Apply.

Screen shot of the Cisco IKE policies

  1. Select Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets).
  2. In the IKE v2 IPsec Proposals section, click Add.
  3. In the Name text box, type a object name. In our example, we specify the name AES256-SHA256.
  4. From the Encryption drop-down list, select aes-256.
  5. From the Integrity Hash drop-down list, select sha-256.

Screen shot of the Cisco IPSec proposal

  1. Click OK.
  2. In the IPsec Profile section, click Add.
  3. In the Name text box, type the IPSec profile name. In our example, we specify the name Profile.
  4. In the IKE v2 IPsec Proposal text box, type the proposal.
  5. Select PFS Settings and select group14.

Screen shot of the IPSec profile

  1. Click OK.
  2. Click Apply.

Screen shot of the IPSec proposals (transform sets)

  1. Select Configuration > Firewall > Objects > Network Objects/Groups.
  2. Click Add > Network Object.
  3. In the Name text box, type the object name. In our example, we specify the name VTI-network.
  4. From the Type drop-down list, select Network.
  5. From the IP Version check box, check IPv4.
  6. In the IP Address text box, type the IP address. In our example, we specify the IP address 10.0.1.0.
  7. In the Netmask text box, type the netmask. In our example, we specify the netmask 255.255.255.0.

Screen shot of the network objects

  1. Click OK.
  2. Repeat Steps 25–31 to create other network objects.

Screen shot of the network objects/groups

  1. Select Configuration > Site-to-Site VPN > Connection Profiles.
  2. In the Connection Profiles section, click Add.
  3. In the Peer IP Address text box, type the peer IP address.
  4. From the Interface drop-down list, select outside.
  5. From the Local Network list, select internal-network/24.
  6. From the Remote Network list, select wg_network.
  7. In the IPsec Enabling section, click Manage.
  8. Click Add.
  9. In the Name text box, type the name. In our example, we specify the name GroupPolicy1.
  10. In the Tunneling Protocols section, clear the Inherit check box and select IPsec IKEv2.

Screen shot of the internal group policy

  1. Click OK > OK.
  2. Select Local Pre-shared Key.
  3. In the adjacent text box, type the pre-shared key.
  4. In the Remote Peer Pre-shared Key text box, type the pre-shared key.
  5. For the IKE Policy setting, keep the default values.
  6. From the IPsec Proposal list, select AES256-SHA256.

Screen shot of the IPSec site-to-site connection profile1

Screen shot of the IPSec site-to-site connection profile2

  1. For the Advanced settings, select Advanced > Crypto Map Entry.
  2. Clear the NAT-T check box.
  3. In the Pre-shared Key (for IKEv2) text box, type the pre-shared key. Keep all other settings as the default values.

Screen shot of the crypto map entry

  1. For the Advanced >Tunnel group settings, keep the default values.

Screen shot of the tunnel group

  1. Click OK.
  2. Click Apply.

Screen shot of the connection profiles

Next, configure the VTI interface settings:

  1. Click Configuration.
  2. Select Device Setup > Interface Settings > Interfaces.
  3. Click Add > VTI Interface.
  4. In the VTI ID text box, type the VTI ID.
  5. In the Interface Name text box, type the interface name.
  6. Select Enable Interface.
  7. In the IP Address text box, type the IP address.
  8. In the Subnet Mask drop-down list, select 255.255.255.0.

Screen shot of the VTI interface for general settings

  1. Select the Advanced tab.
  2. In the Destination IP text box, type the VTI interface settings.
  3. From the Source Interface drop-down list, select outside.
  4. From the Tunnel Protection with Ipsec Profile drop-down list, select Profile.
  5. Check the Enable Tunnel Mode IPv4 Ipsec check box.

Screen shot of the VTI interface for advanced settings

  1. Click OK.
  2. Click Apply.

Screen shot of the interfaces

Finally, configure the routing settings:

  1. Select Configuration > Device Setup > Routing > Static Routes.
  2. Click Add.
  3. Select IPv4.
  4. From the Interface drop-down list, select VTI.
  5. From the Network drop-down list, select wg_network.
  6. In the Gateway IP text box, type the gateway IP address.
  7. For all other settings, keep the default values.

Screen shot of the static route for VTI

  1. Click OK.
  2. Click Apply.

Screen shot of the static routes

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab and verify the VPN is established.
  1. Verify that Host1 (behind the Firebox) and Host2 (behind the Cisco ASA) can ping each other.