Contents

Firebox Cloud and Cisco ASA5506X VPN Integration Guide

This document describes how to configure a BOVPN tunnel between an instance of WatchGuard Firebox Cloud and a Cisco ASA5506X.

Platform and Software

The hardware and software used to complete the steps outlined in this integration guide include:

  • WatchGuard Firebox Cloud with Fireware v11.12.4. B522519 installed in Amazon Web Services (AWS)
  • Cisco ASA5506X
  • ASA Version — 9.8(1)
  • ASDM Version — 7.8(1)

Test Topology

Set Up Firebox Cloud

To configure the BOVPN virtual interface on your instance of Firebox Cloud:

  1. Connect to Fireware Web UI for your instance of Firebox Cloud (https://< AWS Public IP address>:8080).
  2. Log in as a user with administrator credentials.

  1. Select VPN > BOVPN Virtual Interfaces.
  2. To unlock the configuration, click .

  1. Click Add.
  2. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  3. In the Credential Method section, select Use Pre-Shared Key.
  4. In the adjacent text box, type the pre-shared key.

  1. In the Gateway Endpoint section, click Add.

  1. From the Physical drop-down list, select External.
  2. Select By IP Address.
  3. In the adjacent text box, type the AWS public IP address for your instance of Firebox Cloud.

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the outside port IP address (Local Outgoing Public IP) for the Cisco ASA5506X.
  4. Select By IP Address.
  5. In the adjacent text box, type the outside port IP address (Local Outgoing Public IP) for the Cisco ASA5506X.

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase1 tunnel when it is inactive check box.
  3. Select the Add this tunnel to the BOVPN-Allow policies check box.

  1. Select the VPN Routes tab.
  2. Click Add.
  3. From the Choose Type drop-down list, select the best option for your network configuration. In this example, we specify an IPv4 IP address.
    • Host IPv4
    • Host IPv6
    • Network IPv4
    • Network IPv6
  1. In the Route To text box, type the IP address of a route that will use this virtual interface. In this example, we add a route to a server at 192.168.13.2.

  1. Click OK.
  2. Select the Assign virtual interface IP addresses check box.
  3. In the Local IP address text box, type the IP address.
  4. In the Peer IP address or netmask text box, type the IP address or netmask.

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv1.
  3. From the Mode drop-down list, select Main.
  4. In the Transform Settings section, click Add.
  5. From the Authentication drop-down list, select SHA1.
  6. From the Encryption drop-down list, select AES(256-bit).
  7. From the Key Group drop-down list, select Diffie-Hellman Group 2.

  1. Click OK.

For stronger security, we recommend that you add a new Phase 2 proposal.

  1. Select VPN > Phase 2 Proposals.
  2. To add a new Phase 2 proposal, click Add.
  3. In the Name text box, type ESP-AES256-SHA.
  4. From the Type drop-down list, select ESP (Encapsulating Security Payload).
  5. From the Authentication drop-down list, select SHA1.
  6. From the Encryption drop-down list, select AES(256-bit).

  1. Click Save.

Apply the new Phase 2 proposal to your BOVPN virtual interface.

  1. Select VPN > BOVPN Virtual Interfaces.
  2. Select the interface you added. Click Edit.
  3. Select the Phase 2 Settings tab.
  4. From the IPSec Proposals drop-down list, select ESP-AES-SHA1.
  5. Click Add.
  6. Remove any other proposals that appear in the list.

  1. Click Save.

Set Up the Cisco ASA5506X

Basic Settings

  1. Log in to ASA5506X with ASDM at https://<IP address of ASA5506X>. The default IP address is https://192.168.1.1.
  2. Configure the ASA5506X interfaces.
    For information about how to configure interfaces, see the Cisco ASA5506X documentation.

Configure the IPSec VPN Settings

  1. Click Configuration.
  2. Select Site-to-Site VPN > Advanced > IKE policies.
  3. In the IKEv 1 Policies section, click Add.
  4. In the Priority text box, type 1.
  5. From the Authentication drop-down list, select pre-share.
  6. From the Encryption drop-down list, select aes-256.
  7. From the Hash drop-down list, select sha.

  1. Click OK.

  1. Select Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets).
  2. In the IPsec Proposals (Transform Sets) section, click Add.
  3. In the Set Name text box, type a name for the set.
  4. For the Mode, select Tunnel.
  5. From the ESP Encryption drop-down list, select AES-256.
  6. From the ESP Authentication drop-down list, select SHA.

  1. Click OK.

  1. In the IPsec Profile section, click Add.
  2. In the Name text box, type the IPsec profile name.
  3. In the IKE v1 IPsec Proposal text box, type the proposal.

  1. Click OK.

  1. From the navigation menu, select Firewall > Objects > Network Objects/Groups.
  2. Click Add and add network objects.

  1. From the navigation menu, select Site-to-Site VPN > Connection Profiles.
  2. In the Connection Profiles section, click Add.
  3. In the Peer IP Address text box, type the peer IP address.
  4. From the Interface drop-down list, select outside.
  5. From the Local Network list, select internal-network/24.
  6. From the Remote Network list, select CloudInt.
  7. Select Enable IKE v1.
  8. In the Pre-shared Key text box, type the pre-shared key.
  9. For the IKE Policy setting, keep the default values.
  10. From the IPsec Proposal list, select ESP-AES256-SHA.

  1. For the Advanced settings, keep the default values.

  1. Click OK.

VTI Interface Settings

  1. Click Configuration.
  2. Select Device Setup > Interface Setting > Interface.
  3. Click Add VTI Interface.
  4. In the VTI ID text box, type the VTI ID.
  5. In the Interface Name text box, type the interface name.
  6. Select Enable Interface.
  7. In the IP Address text box, type the IP address.
  8. In the Subnet Mask text box, type the subnet mask.

  1. Select the Advanced tab.
  2. In the Destination IP text box, type the VTI interface settings.
  3. From the Source Interface drop-down list, select outside.
  4. From the Tunnel Protection with Ipsec Profile drop-down list, select Profile.
  5. Select the Enable Tunnel Mode IPv4 Ipsec check box.

  1. Click OK.

Configure the Security Policy settings:

  1. Click Configuration.
  2. Select Firewall > Access Rules.
  3. Click Add.
  4. From the Interface drop-down list, select outside.
  5. In the Action section, select Permit.
  6. From the Source list, select CloudInt.
  7. From the Destination list, select internal-network.
  8. From the Service list, select ip,icmp.
  9. For all other settings, keep the default values. 

  1. Click OK.
  2. To add another Access Rule, click Add.
  3. From the Interface drop-down list, select Internal.
  4. In the Action section, select Permit.
  5. From the Source list, select Internal-network.
  6. From the Destination list, select CloudInt.
  7. From the Service list, select ip,icmp.
  8. For all other settings, keep the default values. 

  1. Click OK.

Routing Settings

  1. Select Device Setup > Routing > Static Routes.
  2. Click Add.
  3. Select IPv4.
  4. From the Interface drop-down list, select outside.
  5. From the Network drop-down list, select any4.
  6. In the Gateway IP text box, type the gateway IP address.
  7. For all other settings, keep the default values. 

  1. Click OK.
  2. To add another route, click Add.
  3. Select IPv4.
  4. From the Interface drop-down list, select VTI.
  5. From the Network drop-down list, select CloudInt.
  6. In the Gateway IP text box, type the gateway IP address.
  7. For all other settings, keep the default values.

  1. Click OK.

Test the Integration

  1. Log in to Fireware Web UI for your instance of Firebox Cloud.
  2. Select System Status > VPN Statistics.
  3. Verify that the VPN tunnel is active.
  4. Create an ICMP policy that allows ICMP traffic.

  1. Verify that the servers at 10.0.1.39 and 192.168.13.2 can successfully ping each other.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search