Thanks for your reply.

For the NAT exemption I don't think I have done that. How can I check that? I saw that

sysopt connection permit-ipsec but unable to use it in the 877.

configuration 877:
X.X.X.X is the IP of fortigate
Y.Y.Y.Y is the IP of cisco
10.41.2.32 is the private network behind the fortigate
192.168.252.0 is the private network behind the cisco I use the vlan2


IPSEC#show run
Building configuration...

Current configuration : 3247 bytes
!
! Last configuration change at 15:04:30 CEDT Wed Jun 23 2010
! NVRAM config last updated at 11:13:54 CEDT Wed Jun 23 2010
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname IPSEC
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
enable secret 5 xxcU.
!
no aaa new-model
clock timezone GMT 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.254.0 192.168.254.99
ip dhcp excluded-address 192.168.254.128 192.168.254.255
!
ip dhcp pool DHCP
   network 192.168.254.0 255.255.255.0
   default-router 192.168.254.254 
   dns-server A.A.A.A B.B.B.B 
!
!
no ip domain lookup
ip name-server A.A.A.A
ip name-server B.B.B.B
!
!
!
! 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key ciscokey address X.X.X.X
!
!
crypto ipsec transform-set vpntest esp-aes 256 esp-sha-hmac 
!
crypto map myvpn 10 ipsec-isakmp 
 set peer X.X.X.X
 set transform-set vpntest 
 match address 101
!
archive
 log config
  hidekeys
!
!
!
track 1 ip route Y.Y.Y.Y 255.255.255.255 reachability
 delay down 1 up 60
!
!
!
interface Tunnel0
 ip address 2.2.2.1 255.255.255.252
 tunnel source Dialer0
 tunnel destination X.X.X.X
!
interface ATM0
 bandwidth 320
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 mtu 1492
 bandwidth 160
 pvc 8/35 
  vbr-nrt 160 160
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 switchport access vlan 2
!
interface Vlan1
 ip address 192.168.20.253 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.252.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 bandwidth 128
 ip address negotiated
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 dialer-group 1
 keepalive 1 2
 ppp authentication chap callin
 ppp chap hostname xxx@aa.aaa.com
 ppp chap password 7
 crypto map myvpn
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.41.2.32 255.255.255.240 Tunnel0
!
no ip http server
no ip http secure-server
ip dns server
ip nat translation tcp-timeout 5400
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list standard DIFFUSION
 permit 0.0.0.0
 deny   any
!
access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
snmp-server community public RO
snmp-server community An3 RW 99
snmp-server community a RO
snmp-server community aCommunityRead RO
no cdp run
!
!
!
control-plane
!
!
line con 0
 password 7 0502080824424B1B1000
 login
 no modem enable
line aux 0
line vty 0 4
 password 7 0945400E1C0B12000209
 login
 escape-character 5
!
scheduler max-task-time 5000
ntp clock-period 17175036
ntp server B.B.B.B
ntp server A.A.A.A
end

Hello.

First of all I do not see the ACL called NAT

ip nat inside source list NAT interface Dialer0 overload

In that ACL you should have FIRST a deny from your local LAN to the remote LAN ...then the traffic that you want to NAT for internet access.

Create it

ip access-list ext  NAT

deny ip 192.168.252.0 0.0.0.255 10.41.2.32
permit ip any any

If you are using IPSEC for that tunnel go ahead and use an Ipsec profile it's easier and faster.

Disable and eliminate the crypto map that you have created.

then add

Crypto ipsec profile NAME

set transform vpntest

interface Tunnel0
 tunnel protection ipsec profile NAME

You wont need the ACL for the interesting traffic the route....  ip route 10.41.2.32 255.255.255.240 Tunnel0   will do that for you.

ip route 10.41.2.32 255.255.255.240 Tunnel0

If you do not want to use the ipsec profile then add the crypto map to the tunnel00 as well and do the NAT exemption.

The nat exemption have to be created if you use crypto map OR an ipsec profile.

Thanks for your reply!

the ip access-list ext  NAT is OK.
For the moment I don't want to use ipsec profile. Maybe I will try later.

I add my crypto map to the tunnel 0.

Now I have to create the NAT exemption but I am not sure of what is necessary?

I have to create a new ACL? with inside something like nat (fastethernet0 or vlan2?) 0 access-list [ACL-name]

I need this in two ways? from cisco to forti and vice versa?

Thanks or your help.
Alexaaa

Hello

If your fortigate is doing NATs then yes. The ACL es from your local LAN to the remote LAN

Alex if you are going to use the crypto map you will have to add in the ACL of the interesting traffic a line for GRE traffic NOT for the hosts IP like in a site to site case.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Using crypto maps is not useful for this situation. Using profiles requires only 3 commands

Really try the profile you wont spend ur time. and if you have to add another site to this tunnel in the future you do not have to add all that staff.

OK I will try profile tomorow.

But with profile NAT exemption is still necessary?

Thanks

Alexaa

Yes because you are doing NAT in those devices so a NAT exemption is required.

I don't know really what is a NAT exemption I do it with an ACL?

You have an ACL called NAT right now right? to specify what you want to nat...

add in that ACL some entries and specify that you do not want to nat or include in that ACL trafico from  your local LAN to the remote LAN.

I don't want to use GRE because it is not secure that's right?
I just want a site to site VPN.

I don't understand why GRE is necessary with a crypto.
I add this ACL:
ip access-list ext  NAT
deny ip 192.168.252.0 0.0.0.255 10.41.2.32
permit ip any any

but I manage my cisco with its public IP and I lost access to it...
The permit any any result with the lost access to my router via public IP... I don't think it is necessary because implicite rule is deny any any...

So now I have this ACL:

ip access-list ext  NAT
deny ip 192.168.252.0 0.0.0.255 10.41.2.32

I can ping 10.41.2.X from my cisco !!!

I can ping 192.168.252.1 from my forti!

Still a trouble I can't ping the server behind the cisco with IP 192.168.252.2... From the cisco I can ping it but from forti and server behind the forti I issue a timeout... Is it necessary to add a new acl for traffic from 10.41.2.36 to 192.168.252.0?

Thanks