![cisco asa to fortinet vpn cisco asa to fortinet vpn](https://docplayer.net/docs-images/40/10436560/images/page_5.jpg)
At the same time, perhaps because of that legacy, I don't view the Cisco devices as truly UTM capable even though they can be. They also have a VM option if you don't want to buy hardware, haven't used it myself though.Īll that said, I grew up on the PIX and the ASA and I wouldn't recommend them over a Fortinet anymore. On the positive side, unlike some other centralized platforms *cough*checkpoint*cough* you can manage the boxes just fine locally if your FM instance blows up.
Cisco asa to fortinet vpn password#
There are also some weird things, like you can't push a policy change that includes the new password but you can retrieve it, and instead of giving a helpful error like "Apply passwords with special characters locally and retrieve", you get 5 minutes of hanging followed by "Failed". There's a small chance that anyone will run into that issue because you have to pound the snot out of it to get into kernel conserve mode before it is a problem, but it can happen. Having to USE IT because a failed push whacked some policy? Not good. Centralized through FortiManager? Pluses and minuses. If you have a problem, see the debugging/troubleshooting links below.How is the management interface of the Fortinet? Tech Note: Look at all those Ciphers/Hashing/Additional Protocols that are about to be turned on! ? That’s why I work at command line.įinally you will need to send some traffic over the tunnel to ‘bring it up’. MAKE SURE that the new object is selected as the Remote Network > Next.Įnter the Pre-Shared key you used (above) > Next > Tick to DISABLE NAT > Next > Finish. You should already have an object for your Local Network add that in > Then add in a new Network Object for the remote (behind the Fortigate) subnet. Phase 2 Selectors > Edit > Advanced > Untick Enable Perfect Forward Secrecy > OK.Ĭreate IKE/IPSec VPN Tunnel On Cisco ASA (ASDM)Ĭonnect to the ASDM > Wizards > VPN Wizards > Site-to-Site VPN Wizard > Next. Select IPSec Tunnels > Select the new tunnel > Edit. Local interface will be in the ‘inside’ interface on the Fortigate > Enter the local subnet(s) > Enter the remote (behind the ASA) subnet(s) > Next. Give it the ‘public’ IP of the Cisco ASA > Set the port to the ‘outside’ port on the Fortigate > Enter a pre-shared key, (text string, you will need to enter this on the Cisco ASA as well, so paste it into Notepad or something for later) > Next. Create IKE/IPSec VPN Tunnel On Fortigateįrom the web management portal > VPN > IPSec Wizard > Give the tunnel a name > Change the remote device type to Cisco > Next. (They do on older versions of the OS, but not on the newer ones). And Fortinet enables PFS and Cisco don’t. Fortinet sets all the DH groups to 5, and Cisco sets them all to 2. Tech Note: If you just use both wizards it wont work, thankfully I could debug the tunnel on the Cisco ASA to work out why. This is an exercise in getting the tunnel up and making it work.
![cisco asa to fortinet vpn cisco asa to fortinet vpn](https://weberblog.net/wp-content/uploads/2015/01/S2S-VPN-FortiGate-Cisco-ASA-Laboratory.png)
I will post another article on the same subject, but then I’ll make the tunnel as secure as I can, (watch this space). Couple that with all the weak Crypto sets that get enabled, because someone might have a hardware firewall from 1981 or something! So in production I’d consider doing things a little more manually. Which means it enables IKEv1 NOT IKEv2 on the Fortigate, and BOTH IKEv1 and IKEv2 gets enabled on the Cisco ASA. This is designed for the ‘Let’s just make it work, who cares what’s going on under the hood‘ generation. Well that’s the pretty picture, I’m building this EVE-NG so here’s what my workbench topology looks like ĭisclaimer (Read First! Especially before posting any comments!)įortinet prides itself on you not needing to use the CLI, (until you actually need to use the CLI of course!) But both ends are configured using the GUI and ASDM.
Cisco asa to fortinet vpn how to#
As the bulk of my knowledge is Cisco ASA it seems sensible for me to work out how to VPN both those firewalls together, like so One of the basic requirements of any edge firewall is site to site VPN. Continuing with my ‘ Learn some Fortigate‘ theme’.