Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
2
Replies

IPsec Tunnel PIX issues

pramod
Level 1
Level 1

‎07-21-2010 01:29 AM - edited ‎03-11-2019 11:14 AM

Can anyone provide me soln for the below

My goal is to create an ipsec tunnel between my pix and fortigate(other vendor)
I am facing a lot of issues

Site A network looks like this


---10.41.x.x/16---switch(192.168.1.1/30)----(192.168.1.2)pix--122.x.x.x----internet


Site B look like this

10.x.x.x/8----fortigate---116.x.x.x---internet


Before establishing tunnel i tried to ping the pix outside address from my fortigate and pinging fine
{As public ip its fine and reachable}

But after i create ipsec tunnel from fortigate its not pinging my pix firewall outside ip! what might be the issue? and its not even pinging directly connected gateway ip

one more i need to know is while creating cryptomap on pix,which network i have to define

192.168.x.x or 10.41.x.x ?

Do i need to create any static route ? for internal subnet reachability? if so how ?

can some one explain in detail to address these issues ?

Seeking help from experts

Thanks,

Pramod

Labels:
0 Helpful
2 Replies 2

rahgovin
Level 4
Level 4

‎07-21-2010 04:37 AM

The interesting traffic should be between your 10.41.x.x on site A and the 10.x.x.x on site B( if those indeed are your networks). Is that what has been defined on the PIX and fortigate?

Also th route to be added on the PIX should be

route inside 10.41.x.x 255.255.0.0 192.168.1.1

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-21-2010 02:15 PM

You would need to create mirror image crypto ACL on the PIX and Fortigate.

Based on the network diagram, I assume that from the PIX end, your traffic would be from 10.41.0.0/16, hence that would be the interesting traffic for your crypto ACL.

However, looks like you have overlapping networks between your Fortigate LAN and PIX LAN as both falls under the 10.0.0.0 network. If your Fortigate LAN /8? If it is, then it's overlapping. You would need to NAT the traffic so it's not overlapping because routing will not work when it's overlapping subnets. If your Fortigate LAN is /24, then it's OK.

Here is a sample configuration for overlapping subnet for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card