Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

tunnel between asa5505 and Fortigate 80c up but no traffic

Hello all,

I have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG).

What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup'

To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer.

I run 8.4 software on the ASA and this is part of the relevant config:

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 192.168.196.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.196.0_24 NETWORK_OBJ_192.168.196.0_24 no-proxy-arp route-lookup

route outside 0.0.0.0 0.0.0.0 172.16.0.138 (there is a nat device between the asa and the internet, i.e. a fritzbox modem)

crypto ipsec ikev1 transform-set 3des-sha1 esp-3des esp-sha-hmac

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set peer 194.109.xxx.xxx

crypto map outside_map 2 set ikev1 transform-set 3des-sha1

crypto map outside_map 2 set security-association lifetime seconds 86400

crypto map outside_map interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

group-policy GroupPolicy_194.109.xxx.xxx internal

group-policy GroupPolicy_194.109.xxx.xxx attributes

vpn-filter value outside_cryptomap_1

vpn-tunnel-protocol ikev1

tunnel-group 194.109.xxx.xxx type ipsec-l2l

tunnel-group 194.109.xxx.xxx general-attributes

default-group-policy GroupPolicy_194.109.xxx.xxx

tunnel-group 194.109.xxx.xxx ipsec-attributes

ikev1 pre-shared-key *****

1 REPLY
New Member

tunnel between asa5505 and Fortigate 80c up but no traffic

Wel, actually the packet tracer output is allright now :S

I have rebuild my asa 5505 from scratch and created the tunnel again.

I note that the animation shows more 'hops' e.g. 2 times a vpn lookup while my earlier picture stopped at Access list lookup.

Actually I am still not able to send traffic over the line so I am going to check the Fortigate unit now.....

Kind regards,

Ralph

Arnhem Netherlands

1929
Views
0
Helpful
1
Replies