👉 👉 ⭐ For Sponsored/Guest Articles, please email us on 📧 ⭐

IPsec site-to-site VPN tunnel between Cisco ASA & FortiGate Firewall

Setting up an IPsec S2S VPN tunnel
Cisco ASA & FortiGate Firewall

We are going to talk about the IPsec VPN tunnel between Cisco ASA and Fortinet firewall where one site is protected by a FortiGate, while another is protected by a Cisco ASA

We are configuring the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel may be formed with the required security profiles applied. It uses FortiOS 5.0 and Cisco ASDM 6.4. Both devices must be set up with the proper internal and exterior interfaces for the operation to work.

Fig 1.1- IPSec Site2site tunnel

What we are going to do ?

  • Configuring the Cisco device using the IPsec VPN Wizard
  • Configuring the FortiGate tunnel phases
  • Configuring the FortiGate policies
  • Configuring the static route in the FortiGate

IPsec VPN Wizard to configure the Cisco ASA

Step 1: In the Cisco ASDM, under the Wizard menu, select IPsec VPN Wizard.

Step 2: From the options that appear, select Site-to site, with the VPN Tunnel Interface set to outside, then click Next.

Fig 1.2- Cisco ASA- ASDM site to site screen

Step 3: In the Peer IP Address field, enter the IP address of the FortiGate unit through which the SSL VPN traffic will flow.

Fig 1.3- Cisco ASDM

Step 4: Under Authentication Method, enter a secure Pre-Shared Key. You will use the same key when configuring the FortiGate tunnel phases. Choose something more secure than “Password” and click Next.

Step 5: Configure Phase 1 with AES-256 Encryption and SHA Authentication and Set the Diffie-Hellman Group to 5

Fig 1.4- Cisco ASDM

Step 6: Enable PFS and set the Diffie-Hellman Group to 2.

Step 7: Set the Local Network and Remote Network.

Fig 1.5- Cisco ASDM

On the Cisco ASA, the tunnel configuration is finished. You must now set up the FortiGate using comparable configurations, with the exception of the remote gateway.

IPsec VPN Wizard to configure the FortiGate Firewall

Step 1: In the FortiOS GUI, navigate to VPN >IPsec > Auto Key (IKE) and select Create Phase 1.

Step 2: Name the tunnel, statically assign the IP Address of the remote gateway, and set the Local Interface to wan1.

Fig 1.6- FortiGate Firewall

Step 3: Select Preshared Key for Authentication method and enter the same Preshared key you chose when configuring the Cisco IPsec VPN Wizard. Configure this phase to match the encryption settings configured on the Cisco device and click OK.

Step 4: Select Create Phase 2.Identify Phase 1, which you just configured, and ensure that the encryption settings match the Phase 2 encryption settings configured on the Cisco device. Optionally, provide the Source address and Destination address at the tunnel's ends under Quick Mode Selector.

Fig 1.7- FortiGate Firewall

Configuring the FortiGate policies

Step 1: Navigate to Policy > Policy > Policy and create firewall policies that allow inbound and outbound traffic over the tunnel.

Step 2: In the first (outbound) policy, set the Incoming Interface to lan and set the source Address to all.

Step3: Set the Outgoing Interface to the tunnel interface and set the Destination Address to all. Configure the Schedule and Service as desired.

Step 4: Create the second (inbound) policy to allow traffic to flow in the opposite direction, and configure the Schedule and Service as desired.

Fig 1.8- FortiGate Firewall

Configuring the static route in the FortiGate

Step1: Navigate to Router > Static > Static Routes and select Create New

Step 2: Create a static route with the Destination IP/Mask matching the address of the Cisco local network (by default, Device, select the site-to-site tunnel, and click OK. On Fortigate side, now the tunnel configuration is finished.

Continue Reading..

Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router - The Network DNA
Site-to-Site IPsec VPN Tunnel with two FortiGate Firewalls - The Network DNA
Security: FortiGate to SonicWall VPN Tunnel setup - The Network DNA
The Network DNA : Security

No comments