Search This Blog

Thursday, November 19, 2015

VPN site-to-site between Cisco ASA to Fortigate - Part 1

In the following post I will demonstrate a VPN site-to-site (L2L) configuration between Cisco ASA and Fortigate appliances.

These are the customer demands for the following setup:
- VPN site-to-site between Office 1 and Office 2
- All traffic from Office 2 should pass-through office 1
- When Office 2 goes to the internet they will using Office 1 external IP

This is my lab setup:


Let’s start with the Fortigate configuration,
VPN -> IPsec ->Tunnels
Type in a name for this tunnel and select Custom VPN Tunnel (No Template)


Fill in the required information, type in the remote IP address (10.1.0.1), fill in the pre-shared key and select phase 1 proposal, here I choose IKEv1 with AES192 and SHA1 using DH group 2 (1024bit) and key lifetime of 86400 seconds (24 hours).



Continue filling phase 2 selectors, type in the local networks, in this case I summarize Office 2 networks to 192.168.48.0/21, and remote networks which in my case should be 0.0.0.0/0.0.0.0 in order to route all traffic through the VPN tunnel, and phase 2 proposal - here I choose again AES192 with SHA1 and DH group 2, also check PFS and type in the key lifetime to 86400 seconds.



Note that I removed all other options in phase 1 and 2 proposals and leave only AES192 with SHA1.

Now go to Policy & Objects -> Objects -> Addresses and create new address for remote network:



And another one for the local networks:



Now let’s configure the firewall policy, go to Policy & Objects -> Policy -> IPv4 and create new policy, from interface NET50 (VLAN50) with source address LOCAL_NETWORK to interface OFFICE1 (VPN interface) with destination address REMOTE_NETWORK and without NAT:



Crate another policy in the opposite way:




For each network we would have to do these policies (VLAN 50, VLAN51 and so on), also this is the place for limit the access between the two sites (for example create policy which allows only HTTP and HTTPS between the two).

Last we need to configure static route toward the VPN tunnel, go to Router -> Static -> Static Routes and create new static route, type 0.0.0.0/0.0.0.0 for destination and choose OFFICE1 (VPN interface) as Device:



Note that we will also need static route to remote device (Cisco ASA at 10.1.0.1) with ISP next-hop:



Now let’s configure the Cisco ASA, here I will use the built-in wizard for creating the tunnel but I’ll explain on each part of the configuration and will show also CLI configuration.

First we need to configure object for the remote network, Open the ASDM and go to Configuration -> Firewall -> Objects -> Network Objects/Groups, click on Add and create an object for the remote network:



And another object fot the local network:



Again here I summarize for all OFFICE1 networks (192.168.0.0/21).

Now click on Wizards from the tool bar, choose VPN Wizards -> Site-tosite VPN Wizard…



On the first screen click Next



Type in the Fortigate external IP (10.2.0.1) and choose the Cisco ASA external interface (EXTERNAL1):



Click Next

On the Local Network choose Any4 and on the Remote Network choose the object we have just created (REMOTE_NETWORK):


Click Next

Choose Customize Configuration and type in the pre-shared key in all 3 places (although we are not going to use IKEv2 it’s necessary in order to be able to move between the tabs)


Click on IKE Version tab and clear IKEv2 checkbox


Click on Encryption Algorithms tab and then click on IPsec proposal Select button


Clear all settings under Assign-> and choose only ESP-AES-192-SHA (Tunnel mode), then click OK


Click on Perfect Forward Secrecy and mark the checkbox to enable it:


On the NAT exempt screen click Next


On the Summary screen review the settings and click Finish


Now we need to create NAT policy which will exempt the traffic between OFFICE1 and OFFICE2 networks, go to Configuration -> Firewall -> NAT Rules and click add:


Create NAT policy for keeping the original IP from remote to local and vice versa:


This rule is bi-directional so we won’t need to configure the opposite.
Now we need to configure firewall access rule for the VPN traffic, go to Configuration -> Firewall -> Access Rules and click Add:


Create access rule on the external interface (EXTERNAL1) with REMOTE_NETWORK (192.168.48.0/21) as source and any as destination:


Of course this rule should be above implicit deny rule if configured.
Click save and then apply.

That’s it – the tunnel should be up and running.

Now let’s review on the wizard configuration, go to Configuration -> Site-to-Site VPN and choose Connection Profiles, here we should see the connection profile for the newly created tunnel:


Here we can see the protected networks, the group policy, pre-shared key and phase1/phase2 encryption algorithms.

On the Crypto Map Entry we can see some more settings such as NAT-T and Reverse Route Injection:


And on the Tunnel group we can see the IKE keepalive settings:


Under Configuration -> Site-to-Site VPN -> Group Policies we can find the tunnel created policy which allow us to choose tunneling protocol and different timers (idle, maximum connect time) and also Filter option which gives us the ability to create and configure ACL for permit/deny traffic on this tunnel.


Under Configuration -> Site-to-Site VPN -> Advanced -> Crypto Maps we can find the tunnel map where we have some more settings such traffic selection:


Next post i will provide the CLI configuration, NAT for VPN traffic and some debugging commands.






11 comments:

  1. It is really a great idea to connect site-to-site VPN between Cisco ASA. Basically I needed a best windows vpn that can help to commute group of people working from virtual workplaces with improved productivity for remote users.

    ReplyDelete
  2. It likewise opens the entryway for administrative arbitrage: firms can progressively pick which charge authority and different guidelines apply. gizlilikveguvenlik.com

    ReplyDelete
  3. This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. save money with vpn

    ReplyDelete
  4. This learning part is really amazing. I have learned those steps easily through the reading. Personally, I loved it. Do you want to read something on free ip proxy service? Then read it and cleared your knowledge. Hope it helps.

    ReplyDelete
  5. That is why selling advertising campaigns marketing so that you could invaluable explore previous advertisment. Quite simply to jot down stronger set that fit this description. https://idmcrackdownload.org

    ReplyDelete
  6. In the world of www, there are countless blogs. But believe me, this blog has all the perfection that makes it unique in all. I will be back again and again. idm crack

    ReplyDelete
  7. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. dedicated vps

    ReplyDelete
  8. A LAN (Local Area Network) is a gathering of PCs and system gadgets associated together, Types of Networks

    ReplyDelete
  9. Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing.WPNeon

    ReplyDelete
  10. Virtual Private Network empowers you to utilize web to associate with machines while ensuring that the associations are private. VPN is exceptionally advantageous, yet it isn't essential in the event that you need far off customers to associate with you Linux or Unix worker. arcor

    ReplyDelete
  11. There is no point having a VPN unless it can properly encrypt and secure your internet connection. You can read Surfshark vs ExpressVPN Comparison and choose the best option for you.

    ReplyDelete