Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPsec Tunnel PIX issues

Can anyone provide me soln for the below

My goal is to create an ipsec tunnel between my pix and fortigate(other vendor)
I am facing a lot of issues

Site A network looks like this


---10.41.x.x/16---switch(192.168.1.1/30)----(192.168.1.2)pix--122.x.x.x----internet


Site B look like this

10.x.x.x/8----fortigate---116.x.x.x---internet


Before establishing tunnel i tried to ping the pix outside address from my fortigate and pinging fine
{As public ip its fine and reachable}

But after i create ipsec tunnel from fortigate its not pinging my pix firewall outside ip! what might be the issue? and its not even pinging directly connected gateway ip

one more i need to know is while creating cryptomap on pix,which network i have to define

192.168.x.x or 10.41.x.x ?

Do i need to create any static route ? for internal subnet reachability? if so how ?

can some one explain in detail to address these issues ?

Seeking help from experts

Thanks,

Pramod

2 REPLIES
Silver

Re: IPsec Tunnel PIX issues

The interesting traffic should be between your 10.41.x.x on site A and the 10.x.x.x on site B( if those indeed are your networks). Is that what has been defined on the PIX and fortigate?

Also th route to be added on the PIX should be

route inside 10.41.x.x 255.255.0.0 192.168.1.1

Cisco Employee

Re: IPsec Tunnel PIX issues

You would need to create mirror image crypto ACL on the PIX and Fortigate.

Based on the network diagram, I assume that from the PIX end, your traffic would be from 10.41.0.0/16, hence that would be the interesting traffic for your crypto ACL.

However, looks like you have overlapping networks between your Fortigate LAN and PIX LAN as both falls under the 10.0.0.0 network. If your Fortigate LAN /8? If it is, then it's overlapping. You would need to NAT the traffic so it's not overlapping because routing will not work when it's overlapping subnets. If your Fortigate LAN is /24, then it's OK.

Here is a sample configuration for overlapping subnet for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Hope that helps.

243
Views
0
Helpful
2
Replies
CreatePlease to create content