06-22-2010 01:55 PM
Hi all!
I try to mount a VPN IPSEC tunnel between a cisco 877 and a fortigate FM3000.
The tunnel is UP, from the cisco I can ping the IP of the interface of the fortigate.
From the fortigate I can ping the interface use as public of the cisco.
But impossible to ping from the private network behind the fortigate the private network behind the cisco and vice versa.
I have in the cisco an ACL permit any any and a firewall rule all all in the fortigate.
I don't know what blocks that.
Moreover I see something strange I have virtual-access 1 configured on the cisco and when I traceroute to the ip interface of the fortigate, the packet use this interface and IP to go out... What is virtual-access 1? automatically created with the tunnel?
I try to put a new ACL in the crypto map I can't do it is it normal?
Is it necessary to put the cisco fastethernet0 with behind my server in the tunnel? like the dialer0?
Is it necessary to route the traffic to the tunnel? It is not automatically done?
Could you explain me what is necessary in order to allow communications between private network behind the 2 routers?
Thanks
Alexaaa
06-23-2010 06:05 AM
Can you share the configuration on the 877 router?
One thing that you might want to check is that you have configured NAT exemption for traffic between the 877 LAN and Fortiget LAN that matches to your crypto ACL.
06-23-2010 06:30 AM
Thanks for your reply.
For the NAT exemption I don't think I have done that. How can I check that? I saw that
sysopt connection permit-ipsec but unable to use it in the 877.
configuration 877:
X.X.X.X is the IP of fortigate
Y.Y.Y.Y is the IP of cisco
10.41.2.32 is the private network behind the fortigate
192.168.252.0 is the private network behind the cisco I use the vlan2
IPSEC#show run
Building configuration...
Current configuration : 3247 bytes
!
! Last configuration change at 15:04:30 CEDT Wed Jun 23 2010
! NVRAM config last updated at 11:13:54 CEDT Wed Jun 23 2010
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname IPSEC
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
enable secret 5 xxcU.
!
no aaa new-model
clock timezone GMT 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.254.0 192.168.254.99
ip dhcp excluded-address 192.168.254.128 192.168.254.255
!
ip dhcp pool DHCP
network 192.168.254.0 255.255.255.0
default-router 192.168.254.254
dns-server A.A.A.A B.B.B.B
!
!
no ip domain lookup
ip name-server A.A.A.A
ip name-server B.B.B.B
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ciscokey address X.X.X.X
!
!
crypto ipsec transform-set vpntest esp-aes 256 esp-sha-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer X.X.X.X
set transform-set vpntest
match address 101
!
archive
log config
hidekeys
!
!
!
track 1 ip route Y.Y.Y.Y 255.255.255.255 reachability
delay down 1 up 60
!
!
!
interface Tunnel0
ip address 2.2.2.1 255.255.255.252
tunnel source Dialer0
tunnel destination X.X.X.X
!
interface ATM0
bandwidth 320
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
mtu 1492
bandwidth 160
pvc 8/35
vbr-nrt 160 160
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
ip address 192.168.20.253 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Vlan2
ip address 192.168.252.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
bandwidth 128
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
keepalive 1 2
ppp authentication chap callin
ppp chap hostname xxx@aa.aaa.com
ppp chap password 7
crypto map myvpn
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.41.2.32 255.255.255.240 Tunnel0
!
no ip http server
no ip http secure-server
ip dns server
ip nat translation tcp-timeout 5400
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list standard DIFFUSION
permit 0.0.0.0
deny any
!
access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
snmp-server community public RO
snmp-server community An3 RW 99
snmp-server community a RO
snmp-server community aCommunityRead RO
no cdp run
!
!
!
control-plane
!
!
line con 0
password 7 0502080824424B1B1000
login
no modem enable
line aux 0
line vty 0 4
password 7 0945400E1C0B12000209
login
escape-character 5
!
scheduler max-task-time 5000
ntp clock-period 17175036
ntp server B.B.B.B
ntp server A.A.A.A
end
06-23-2010 08:08 AM
Hello.
First of all I do not see the ACL called NAT
ip nat inside source list NAT interface Dialer0 overload
In that ACL you should have FIRST a deny from your local LAN to the remote LAN ...then the traffic that you want to NAT for internet access.
Create it
ip access-list ext NATdeny ip 192.168.252.0 0.0.0.255 10.41.2.32 permit ip any any
If you are using IPSEC for that tunnel go ahead and use an Ipsec profile it's easier and faster.
Disable and eliminate the crypto map that you have created.
then add
Crypto ipsec profile NAME
set transform vpntest
interface Tunnel0 tunnel protection ipsec profile NAME
You wont need the ACL for the interesting traffic the route.... ip route 10.41.2.32 255.255.255.240 Tunnel0 will do that for you.
ip route 10.41.2.32 255.255.255.240 Tunnel0
If you do not want to use the ipsec profile then add the crypto map to the tunnel00 as well and do the NAT exemption.
The nat exemption have to be created if you use crypto map OR an ipsec profile.
06-23-2010 09:42 AM
Thanks for your reply!
the ip access-list ext NAT is OK.
For the moment I don't want to use ipsec profile. Maybe I will try later.
I add my crypto map to the tunnel 0.
Now I have to create the NAT exemption but I am not sure of what is necessary?
I have to create a new ACL? with inside something like nat (fastethernet0 or vlan2?) 0 access-list [ACL-name]
I need this in two ways? from cisco to forti and vice versa?
Thanks or your help.
Alexaaa
06-23-2010 10:05 AM
Hello
If your fortigate is doing NATs then yes. The ACL es from your local LAN to the remote LAN
06-23-2010 10:14 AM
Alex if you are going to use the crypto map you will have to add in the ACL of the interesting traffic a line for GRE traffic NOT for the hosts IP like in a site to site case.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
Using crypto maps is not useful for this situation. Using profiles requires only 3 commands
Really try the profile you wont spend ur time. and if you have to add another site to this tunnel in the future you do not have to add all that staff.
06-23-2010 02:01 PM
OK I will try profile tomorow.
But with profile NAT exemption is still necessary?
Thanks
Alexaa
06-23-2010 02:13 PM
Yes because you are doing NAT in those devices so a NAT exemption is required.
06-23-2010 02:29 PM
I don't know really what is a NAT exemption I do it with an ACL?
06-23-2010 02:52 PM
You have an ACL called NAT right now right? to specify what you want to nat...
add in that ACL some entries and specify that you do not want to nat or include in that ACL trafico from your local LAN to the remote LAN.
06-24-2010 12:25 AM
I don't want to use GRE because it is not secure that's right?
I just want a site to site VPN.
I don't understand why GRE is necessary with a crypto.
I add this ACL:
ip access-list ext NAT
deny ip 192.168.252.0 0.0.0.255 10.41.2.32
permit ip any any
but I manage my cisco with its public IP and I lost access to it...
The permit any any result with the lost access to my router via public IP... I don't think it is necessary because implicite rule is deny any any...
So now I have this ACL:
ip access-list ext NAT
deny ip 192.168.252.0 0.0.0.255 10.41.2.32
I can ping 10.41.2.X from my cisco !!!
I can ping 192.168.252.1 from my forti!
Still a trouble I can't ping the server behind the cisco with IP 192.168.252.2... From the cisco I can ping it but from forti and server behind the forti I issue a timeout... Is it necessary to add a new acl for traffic from 10.41.2.36 to 192.168.252.0?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: