Meru_IT
asked on
Can a site-to-site VPN be created between two dissimilar firewalls?
Hi, I have a Cisco ASA 5520 firewall on which I want to configure a site-to-site VPN with one of our partner company. The partner company uses a Fortigate 50B UTM device which has to work as the remote peer. Traffic from only one server from my network needs to be allowed through the VPN. Please help with the required configuration on the Cisco ASA.
Thanks in advance
Thanks in advance
yes definitely
Components
* FortiGate unit with FortiOS v3.0 firmware, MR5 Patch 2 or later
* Cisco PIX with IOS version 6.3(1) or 6.3(3)
Prerequisites
* The FortiGate unit must be in NAT mode.
Configure FortiGate VPN Phase 1
To configure using the Web-based Manager
1. Go to VPN > IPSec > Auto-Key and select Phase 1.
2. Enter the following:
Name VPN name. For example, GW-FG-PIX.
Remote Gateway Static IP Address
IP Address The public IP address of the Cisco appliance.
For example, 203.200.216.194
Local Interface The interface that connects to the remote VPN: WAN1
Mode Main (default)
Authentication Method Preshared Key
Pre-shared Key The same preshared key configured on the Cisco appliance.
3. Select Advanced and enter the following:
Enable IPSec Interface Mode Disable
P1 Proposal 1 – Encryption 3DES, Authentication SHA1 (default)
Delete proposal 2
DH Group 2
Keylife 86400 (default)
Nat-traversal Disable
Dead Peer Detection Disable
4. Select OK.
To configure using the CLI:
Using the example configuration, enter the following commands.
config vpn ipsec phase1
edit "GW-FG-PIX"
set interface wan1
set dpd disable
set dhgrp 2
set proposal 3des-sha1
set keylife 86400
set remote-gw 203.200.216.194
set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX
end
Configure FortiGate VPN Phase 2
When you configure the IPSec VPN phase 2, you set the source selector to the private network behind the FortiGate unit, and set the destination selector to the private network behind the Cisco appliance.
To configure using the Web-based Manager
1. 1. Go to VPN > IPSec > Auto-Key and select Phase 2.
2. Enter the following:
Name A name for the VPN Phase 2 configuration. For example, Tunnel-FG-PIX.
Phase 1 Phase 1 configuration name: GW-FG-PIX
3. Select Advanced and enter the following:
P2 Proposal 1 – Encryption 3DES, Authentication SHA1
Delete proposal 2
Enable replay detection Disable
Enable perfect forward secrecy Disable
DH Group 5
Keylife 86400 seconds
Autokey Keep Alive Enable
Source Address 10.1.4.0/24
Destination Address 192.192.192.0/24
4. Select OK.
Using the CLI
Using the example configuration, enter the following commands.
config vpn ipsec phase2
edit Tunnel-FG-PIX
set dhgrp 5
set keepalive enable
set phase1name GW-FG-PIX
set proposal 3des-sha1
set pfs disable
set replay disable
set keylife-type seconds
set keylifeseconds 86400
set src-addr-type subnet
set src-subnet 10.1.4.0 255.255.255.0
set dst-addr-type subnet
set dst-subnet 192.192.192.0 255.255.255.0
end
Configure FortiGate Firewall Addresses
Create firewall addresses for the private networks at either end of the VPN.
To configure using the Web-based Manager
1. Go to Firewall > Address and select Create New.
2. Enter the following:
Address Name A name for the address. For example:
“LocalLAN” for the network behind the FortiGate unit.
“Site2_net” for the network behind the Cisco appliance.
Type Subnet/IP Range
Subnet/IP Range The network address and subnet mask. For example,
Enter “10.1.4.0 255.255.255.0¿ for LocalLAN.
Enter “192.192.192.0 255.255.255.0¿ for Site2_net.
3. Select OK.
Using the CLI
Using the example configuration, enter the following commands.
config firewall address
edit "LocalLAN"
set subnet 10.1.4.0 255.255.255.0
next
edit "Site2_net"
set subnet 192.192.192.0 255.255.255.0
end
Configure FortiGate Firewall Policy
The IPSec firewall policy allows communication in both directions between hosts on the network behind the FortiGate unit and hosts behind the Cisco appliance.
To configure using the Web-based Manager
1. Go to Firewall > Policy and select Create New.
2. Enter the following:
Source Interface/Zone The interface connected to the local network: internal.
Source Address The firewall address of the local network: LocalLAN.
Destination Interface/Zone The interface that connects to the remote network: WAN1.
Destination Address The firewall address of the remote network: Site2_net.
Schedule always
Service ANY
Action IPSEC
VPN Tunnel GW-FG-PIX
Allow inbound Enable
Allow outbound Enable
Inbound NAT Disable
Outbound NAT Disable
3. Select OK.
Using the CLI
Using the example configuration, enter the following commands.
config firewall policy
edit 1
set srcintf internal
set dstintf wan1
set srcaddr LocalLAN
set dstaddr Site2_net
set action ipsec
set inbound enable
set outbound enable
set natinbound disable
set natoutbound disable
set schedule always
set service ANY
set vpntunnel GW-FG-PIX
end
Configure Cisco appliance
This Cisco PIX appliance is configured using its CLI.
To configure Cisco PIX Phase 1, enter the following commands:
isakmp enable outside
isakmp key ******* address 61.95.205.173 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
To configure Cisco PIX Phase 2, enter the following:
crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
crypto map test 10 ipsec-isakmp
crypto map test 10 match address BGLR
crypto map test 10 set peer 61.95.205.173
crypto map test 10 set transform-set fortinet
cryto map test interface outside
crypto map test 10 set security-association lifetime seconds 86400
Additional Cisco PIX Policies
Set access control list (ACL) for desired VPN traffic and bypass NAT:
access-list BGLR permit ip 192.192.192.0 255.255.255.0 10.1.4.0 255.255.255.0
nat (inside) 0 access-list BGLR
sysopt connection permit-ipsec
Testing the VPN
You can test the VPN by pinging addresses on the remote LAN. You can also use the following commands to verify VPN operation:
diag vpn tunnel list On the FortiGate unit, lists operating VPN tunnels
show crypto isakmp sa On the Cisco PIX appliance, shows the Phase 1 security associations
show crypto ipsec sa On the Cisco PIX appliance, shows the Phase 2 security associations
Troubleshooting
FortiGate debug commands
diag debug enable
diag debug appli ike 2
Displays the phase 1 and phase 2 negotiations
Cisco PIX debug commands
debug crypto isakmp Displays messages about IKE events
debug crypto ipsec Displays information about IPSec eve
************************** ********** ********** ********** ********
* FortiGate unit with FortiOS v3.0 firmware, MR5 Patch 2 or later
* Cisco PIX with IOS version 6.3(1) or 6.3(3)
Prerequisites
* The FortiGate unit must be in NAT mode.
Configure FortiGate VPN Phase 1
To configure using the Web-based Manager
1. Go to VPN > IPSec > Auto-Key and select Phase 1.
2. Enter the following:
Name VPN name. For example, GW-FG-PIX.
Remote Gateway Static IP Address
IP Address The public IP address of the Cisco appliance.
For example, 203.200.216.194
Local Interface The interface that connects to the remote VPN: WAN1
Mode Main (default)
Authentication Method Preshared Key
Pre-shared Key The same preshared key configured on the Cisco appliance.
3. Select Advanced and enter the following:
Enable IPSec Interface Mode Disable
P1 Proposal 1 – Encryption 3DES, Authentication SHA1 (default)
Delete proposal 2
DH Group 2
Keylife 86400 (default)
Nat-traversal Disable
Dead Peer Detection Disable
4. Select OK.
To configure using the CLI:
Using the example configuration, enter the following commands.
config vpn ipsec phase1
edit "GW-FG-PIX"
set interface wan1
set dpd disable
set dhgrp 2
set proposal 3des-sha1
set keylife 86400
set remote-gw 203.200.216.194
set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXX
end
Configure FortiGate VPN Phase 2
When you configure the IPSec VPN phase 2, you set the source selector to the private network behind the FortiGate unit, and set the destination selector to the private network behind the Cisco appliance.
To configure using the Web-based Manager
1. 1. Go to VPN > IPSec > Auto-Key and select Phase 2.
2. Enter the following:
Name A name for the VPN Phase 2 configuration. For example, Tunnel-FG-PIX.
Phase 1 Phase 1 configuration name: GW-FG-PIX
3. Select Advanced and enter the following:
P2 Proposal 1 – Encryption 3DES, Authentication SHA1
Delete proposal 2
Enable replay detection Disable
Enable perfect forward secrecy Disable
DH Group 5
Keylife 86400 seconds
Autokey Keep Alive Enable
Source Address 10.1.4.0/24
Destination Address 192.192.192.0/24
4. Select OK.
Using the CLI
Using the example configuration, enter the following commands.
config vpn ipsec phase2
edit Tunnel-FG-PIX
set dhgrp 5
set keepalive enable
set phase1name GW-FG-PIX
set proposal 3des-sha1
set pfs disable
set replay disable
set keylife-type seconds
set keylifeseconds 86400
set src-addr-type subnet
set src-subnet 10.1.4.0 255.255.255.0
set dst-addr-type subnet
set dst-subnet 192.192.192.0 255.255.255.0
end
Configure FortiGate Firewall Addresses
Create firewall addresses for the private networks at either end of the VPN.
To configure using the Web-based Manager
1. Go to Firewall > Address and select Create New.
2. Enter the following:
Address Name A name for the address. For example:
“LocalLAN” for the network behind the FortiGate unit.
“Site2_net” for the network behind the Cisco appliance.
Type Subnet/IP Range
Subnet/IP Range The network address and subnet mask. For example,
Enter “10.1.4.0 255.255.255.0¿ for LocalLAN.
Enter “192.192.192.0 255.255.255.0¿ for Site2_net.
3. Select OK.
Using the CLI
Using the example configuration, enter the following commands.
config firewall address
edit "LocalLAN"
set subnet 10.1.4.0 255.255.255.0
next
edit "Site2_net"
set subnet 192.192.192.0 255.255.255.0
end
Configure FortiGate Firewall Policy
The IPSec firewall policy allows communication in both directions between hosts on the network behind the FortiGate unit and hosts behind the Cisco appliance.
To configure using the Web-based Manager
1. Go to Firewall > Policy and select Create New.
2. Enter the following:
Source Interface/Zone The interface connected to the local network: internal.
Source Address The firewall address of the local network: LocalLAN.
Destination Interface/Zone The interface that connects to the remote network: WAN1.
Destination Address The firewall address of the remote network: Site2_net.
Schedule always
Service ANY
Action IPSEC
VPN Tunnel GW-FG-PIX
Allow inbound Enable
Allow outbound Enable
Inbound NAT Disable
Outbound NAT Disable
3. Select OK.
Using the CLI
Using the example configuration, enter the following commands.
config firewall policy
edit 1
set srcintf internal
set dstintf wan1
set srcaddr LocalLAN
set dstaddr Site2_net
set action ipsec
set inbound enable
set outbound enable
set natinbound disable
set natoutbound disable
set schedule always
set service ANY
set vpntunnel GW-FG-PIX
end
Configure Cisco appliance
This Cisco PIX appliance is configured using its CLI.
To configure Cisco PIX Phase 1, enter the following commands:
isakmp enable outside
isakmp key ******* address 61.95.205.173 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
To configure Cisco PIX Phase 2, enter the following:
crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
crypto map test 10 ipsec-isakmp
crypto map test 10 match address BGLR
crypto map test 10 set peer 61.95.205.173
crypto map test 10 set transform-set fortinet
cryto map test interface outside
crypto map test 10 set security-association lifetime seconds 86400
Additional Cisco PIX Policies
Set access control list (ACL) for desired VPN traffic and bypass NAT:
access-list BGLR permit ip 192.192.192.0 255.255.255.0 10.1.4.0 255.255.255.0
nat (inside) 0 access-list BGLR
sysopt connection permit-ipsec
Testing the VPN
You can test the VPN by pinging addresses on the remote LAN. You can also use the following commands to verify VPN operation:
diag vpn tunnel list On the FortiGate unit, lists operating VPN tunnels
show crypto isakmp sa On the Cisco PIX appliance, shows the Phase 1 security associations
show crypto ipsec sa On the Cisco PIX appliance, shows the Phase 2 security associations
Troubleshooting
FortiGate debug commands
diag debug enable
diag debug appli ike 2
Displays the phase 1 and phase 2 negotiations
Cisco PIX debug commands
debug crypto isakmp Displays messages about IKE events
debug crypto ipsec Displays information about IPSec eve
**************************
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
IPSEC is an industry standard protocol. That's all, the rest are supported encryption/authentication protocols on the platform. Any new device on the market shall make you happy.
FortiGate to Cisco PIX VPN - Step by step including diagrams
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13574
ASKER
The solution was appropriate