VPN cisco 800 series Fortigate

Unanswered Question
Jun 22nd, 2010

Hi all!

I try to mount a VPN IPSEC tunnel between a cisco 877 and a fortigate FM3000.

The tunnel is UP, from the cisco I can ping the IP of the interface of the fortigate.

From the fortigate I can ping the interface use as public of the cisco.

But impossible to ping from the private network behind the fortigate the private network behind the cisco and vice versa.

I have in the cisco an ACL permit any any and a firewall rule all all in the fortigate.

I don't know what blocks that.

Moreover I see something strange I have virtual-access 1 configured on the cisco and when I traceroute to the ip interface of the fortigate, the packet use this interface and IP to go out... What is virtual-access 1? automatically created with the tunnel?

I try to put a new ACL in the crypto map I can't do it is it normal?

Is it necessary to put the cisco fastethernet0 with behind my server in the tunnel? like the dialer0?

Is it necessary to route the traffic to the tunnel? It is not automatically done?

Could you explain me what is necessary in order to allow communications between private network behind the 2 routers?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 06/23/2010 - 06:05

Can you share the configuration on the 877 router?

One thing that you might want to check is that you have configured NAT exemption for traffic between the 877 LAN and Fortiget LAN that matches to your crypto ACL.

Alex801415 Wed, 06/23/2010 - 06:30

Thanks for your reply.

For the NAT exemption I don't think I have done that. How can I check that? I saw that

sysopt connection permit-ipsec but unable to use it in the 877.

configuration 877:
X.X.X.X is the IP of fortigate
Y.Y.Y.Y is the IP of cisco is the private network behind the fortigate is the private network behind the cisco I use the vlan2

IPSEC#show run
Building configuration...

Current configuration : 3247 bytes
! Last configuration change at 15:04:30 CEDT Wed Jun 23 2010
! NVRAM config last updated at 11:13:54 CEDT Wed Jun 23 2010
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
hostname IPSEC
logging buffered 1000000
enable secret 5 xxcU.
no aaa new-model
clock timezone GMT 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp pool DHCP
   dns-server A.A.A.A B.B.B.B
no ip domain lookup
ip name-server A.A.A.A
ip name-server B.B.B.B
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ciscokey address X.X.X.X
crypto ipsec transform-set vpntest esp-aes 256 esp-sha-hmac
crypto map myvpn 10 ipsec-isakmp
set peer X.X.X.X
set transform-set vpntest
match address 101
log config
track 1 ip route Y.Y.Y.Y reachability
delay down 1 up 60
interface Tunnel0
ip address
tunnel source Dialer0
tunnel destination X.X.X.X
interface ATM0
bandwidth 320
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
mtu 1492
bandwidth 160
pvc 8/35
  vbr-nrt 160 160
  pppoe-client dial-pool-number 1
interface FastEthernet0
switchport access vlan 2
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
switchport access vlan 2
interface Vlan1
ip address
ip nat inside
no ip virtual-reassembly
interface Vlan2
ip address
ip nat inside
ip virtual-reassembly
interface Dialer0
bandwidth 128
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
keepalive 1 2
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7
crypto map myvpn
ip forward-protocol nd
ip route Dialer0
ip route Tunnel0
no ip http server
no ip http secure-server
ip dns server
ip nat translation tcp-timeout 5400
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
ip access-list standard DIFFUSION
deny   any
access-list 101 permit ip
snmp-server community public RO
snmp-server community An3 RW 99
snmp-server community a RO
snmp-server community aCommunityRead RO
no cdp run
line con 0
password 7 0502080824424B1B1000
no modem enable
line aux 0
line vty 0 4
password 7 0945400E1C0B12000209
escape-character 5
scheduler max-task-time 5000
ntp clock-period 17175036
ntp server B.B.B.B
ntp server A.A.A.A
Diego Armando C... Wed, 06/23/2010 - 08:08


First of all I do not see the ACL called NAT

ip nat inside source list NAT interface Dialer0 overload

In that ACL you should have FIRST a deny from your local LAN to the remote LAN ...then the traffic that you want to NAT for internet access.

Create it

ip access-list ext  NAT

deny ip
permit ip any any

If you are using IPSEC for that tunnel go ahead and use an Ipsec profile it's easier and faster.

Disable and eliminate the crypto map that you have created.

then add

Crypto ipsec profile NAME

set transform vpntest

interface Tunnel0
 tunnel protection ipsec profile NAME

You wont need the ACL for the interesting traffic the route....  ip route Tunnel0   will do that for you.

ip route Tunnel0

If you do not want to use the ipsec profile then add the crypto map to the tunnel00 as well and do the NAT exemption.

The nat exemption have to be created if you use crypto map OR an ipsec profile.

Alex801415 Wed, 06/23/2010 - 09:42

Thanks for your reply!

the ip access-list ext  NAT is OK.
For the moment I don't want to use ipsec profile. Maybe I will try later.

I add my crypto map to the tunnel 0.

Now I have to create the NAT exemption but I am not sure of what is necessary?

I have to create a new ACL? with inside something like nat (fastethernet0 or vlan2?) 0 access-list [ACL-name]

I need this in two ways? from cisco to forti and vice versa?

Thanks or your help.

Diego Armando C... Wed, 06/23/2010 - 10:05


If your fortigate is doing NATs then yes. The ACL es from your local LAN to the remote LAN

Diego Armando C... Wed, 06/23/2010 - 10:14

Alex if you are going to use the crypto map you will have to add in the ACL of the interesting traffic a line for GRE traffic NOT for the hosts IP like in a site to site case.


Using crypto maps is not useful for this situation. Using profiles requires only 3 commands

Really try the profile you wont spend ur time. and if you have to add another site to this tunnel in the future you do not have to add all that staff.

Alex801415 Wed, 06/23/2010 - 14:01

OK I will try profile tomorow.

But with profile NAT exemption is still necessary?



Alex801415 Wed, 06/23/2010 - 14:29

I don't know really what is a NAT exemption I do it with an ACL?

Diego Armando C... Wed, 06/23/2010 - 14:52

You have an ACL called NAT right now right? to specify what you want to nat...

add in that ACL some entries and specify that you do not want to nat or include in that ACL trafico from  your local LAN to the remote LAN.

Alex801415 Thu, 06/24/2010 - 00:25

I don't want to use GRE because it is not secure that's right?
I just want a site to site VPN.

I don't understand why GRE is necessary with a crypto.
I add this ACL:
ip access-list ext  NAT
deny ip
permit ip any any

but I manage my cisco with its public IP and I lost access to it...
The permit any any result with the lost access to my router via public IP... I don't think it is necessary because implicite rule is deny any any...

So now I have this ACL:

ip access-list ext  NAT
deny ip

I can ping 10.41.2.X from my cisco !!!

I can ping from my forti!

Still a trouble I can't ping the server behind the cisco with IP From the cisco I can ping it but from forti and server behind the forti I issue a timeout... Is it necessary to add a new acl for traffic from to



This Discussion