Link to home
Start Free TrialLog in
Avatar of Meru_IT
Meru_IT

asked on

Can a site-to-site VPN be created between two dissimilar firewalls?

Hi, I have a Cisco ASA 5520 firewall on which I want to configure a site-to-site VPN with one of our partner company. The partner company uses a Fortigate 50B UTM device which has to work as the remote peer. Traffic from only one server from my network needs to be allowed through the VPN. Please help with the required configuration on the Cisco ASA.

Thanks in advance
Avatar of DIPRAJ
DIPRAJ
Flag of India image

yes definitely
Components       

    * FortiGate unit with FortiOS v3.0 firmware, MR5 Patch 2 or later
    * Cisco PIX with IOS version 6.3(1) or 6.3(3)

Prerequisites       

    * The FortiGate unit must be in NAT mode.

Configure FortiGate VPN Phase 1       

To configure using the Web-based Manager

   1. Go to VPN > IPSec > Auto-Key and select Phase 1.
   2. Enter the following:
      Name       VPN name. For example, GW-FG-PIX.
      Remote Gateway       Static IP Address
      IP Address       The public IP address of the Cisco appliance.
      For example, 203.200.216.194
      Local Interface       The interface that connects to the remote VPN: WAN1
      Mode       Main (default)
      Authentication Method       Preshared Key
      Pre-shared Key       The same preshared key configured on the Cisco appliance.
   3. Select Advanced and enter the following:
      Enable IPSec Interface Mode       Disable
      P1 Proposal       1 – Encryption 3DES, Authentication SHA1 (default)
      Delete proposal 2
      DH Group       2
      Keylife       86400 (default)
      Nat-traversal       Disable
      Dead Peer Detection       Disable
   4. Select OK.

To configure using the CLI:

Using the example configuration, enter the following commands.

config vpn ipsec phase1
  edit "GW-FG-PIX"
    set interface wan1
    set dpd disable
    set dhgrp 2
    set proposal 3des-sha1
    set keylife 86400
    set remote-gw 203.200.216.194
    set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  end

Configure FortiGate VPN Phase 2       

When you configure the IPSec VPN phase 2, you set the source selector to the private network behind the FortiGate unit, and set the destination selector to the private network behind the Cisco appliance.

To configure using the Web-based Manager

   1. 1. Go to VPN > IPSec > Auto-Key and select Phase 2.
   2. Enter the following:
      Name       A name for the VPN Phase 2 configuration. For example, Tunnel-FG-PIX.
      Phase 1       Phase 1 configuration name: GW-FG-PIX
   3. Select Advanced and enter the following:
      P2 Proposal       1 – Encryption 3DES, Authentication SHA1
      Delete proposal 2
      Enable replay detection       Disable
      Enable perfect forward secrecy       Disable
      DH Group       5
      Keylife       86400 seconds
      Autokey Keep Alive       Enable
      Source Address       10.1.4.0/24
      Destination Address       192.192.192.0/24
   4. Select OK.

Using the CLI

Using the example configuration, enter the following commands.

config vpn ipsec phase2
  edit Tunnel-FG-PIX
    set dhgrp 5
    set keepalive enable
    set phase1name GW-FG-PIX
    set proposal 3des-sha1
    set pfs disable
    set replay disable
    set keylife-type seconds
    set keylifeseconds 86400
    set src-addr-type subnet
    set src-subnet 10.1.4.0 255.255.255.0
    set dst-addr-type subnet
    set dst-subnet 192.192.192.0 255.255.255.0
  end

Configure FortiGate Firewall Addresses       

Create firewall addresses for the private networks at either end of the VPN.

To configure using the Web-based Manager

   1. Go to Firewall > Address and select Create New.
   2. Enter the following:
      Address Name       A name for the address. For example:
      “LocalLAN” for the network behind the FortiGate unit.
      “Site2_net” for the network behind the Cisco appliance.
      Type       Subnet/IP Range
      Subnet/IP Range       The network address and subnet mask. For example,
      Enter “10.1.4.0 255.255.255.0¿ for LocalLAN.
      Enter “192.192.192.0 255.255.255.0¿ for Site2_net.
   3. Select OK.

Using the CLI

Using the example configuration, enter the following commands.

config firewall address
  edit "LocalLAN"
    set subnet 10.1.4.0 255.255.255.0
  next
  edit "Site2_net"
    set subnet 192.192.192.0 255.255.255.0
  end

Configure FortiGate Firewall Policy       

The IPSec firewall policy allows communication in both directions between hosts on the network behind the FortiGate unit and hosts behind the Cisco appliance.

To configure using the Web-based Manager

   1. Go to Firewall > Policy and select Create New.
   2. Enter the following:
      Source Interface/Zone       The interface connected to the local network: internal.
      Source Address       The firewall address of the local network: LocalLAN.
      Destination Interface/Zone       The interface that connects to the remote network: WAN1.
      Destination Address       The firewall address of the remote network: Site2_net.
      Schedule       always
      Service       ANY
      Action       IPSEC
      VPN Tunnel       GW-FG-PIX
      Allow inbound       Enable
      Allow outbound       Enable
      Inbound NAT       Disable
      Outbound NAT       Disable
   3. Select OK.

Using the CLI

Using the example configuration, enter the following commands.

config firewall policy
  edit 1
    set srcintf internal
    set dstintf wan1
    set srcaddr LocalLAN
    set dstaddr Site2_net
    set action ipsec
    set inbound enable
    set outbound enable
    set natinbound disable
    set natoutbound disable
    set schedule always
    set service ANY
    set vpntunnel GW-FG-PIX
  end

Configure Cisco appliance       

This Cisco PIX appliance is configured using its CLI.

To configure Cisco PIX Phase 1, enter the following commands:

isakmp enable outside
isakmp key ******* address 61.95.205.173 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

To configure Cisco PIX Phase 2, enter the following:

crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
crypto map test 10 ipsec-isakmp
crypto map test 10 match address BGLR
crypto map test 10 set peer 61.95.205.173
crypto map test 10 set transform-set fortinet
cryto map test interface outside
crypto map test 10 set security-association lifetime seconds 86400

Additional Cisco PIX Policies

Set access control list (ACL) for desired VPN traffic and bypass NAT:

access-list BGLR permit ip 192.192.192.0 255.255.255.0 10.1.4.0 255.255.255.0
nat (inside) 0 access-list BGLR
sysopt connection permit-ipsec

Testing the VPN       

You can test the VPN by pinging addresses on the remote LAN. You can also use the following commands to verify VPN operation:
diag vpn tunnel list       On the FortiGate unit, lists operating VPN tunnels
show crypto isakmp sa       On the Cisco PIX appliance, shows the Phase 1 security associations
show crypto ipsec sa       On the Cisco PIX appliance, shows the Phase 2 security associations
Troubleshooting       
FortiGate debug commands

diag debug enable
diag debug appli ike 2

Displays the phase 1 and phase 2 negotiations
Cisco PIX debug commands
debug crypto isakmp       Displays messages about IKE events
debug crypto ipsec       Displays information about IPSec eve


****************************************************************
ASKER CERTIFIED SOLUTION
Avatar of DIPRAJ
DIPRAJ
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of DanJ
DanJ

IPSEC is an industry standard protocol. That's all, the rest are supported encryption/authentication protocols on the platform. Any new device on the market shall make you happy.
Avatar of Meru_IT

ASKER

The solution was appropriate