Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN cisco 800 series Fortigate

Hi all!

I try to mount a VPN IPSEC tunnel between a cisco 877 and a fortigate FM3000.

The tunnel is UP, from the cisco I can ping the IP of the interface of the fortigate.

From the fortigate I can ping the interface use as public of the cisco.

But impossible to ping from the private network behind the fortigate the private network behind the cisco and vice versa.

I have in the cisco an ACL permit any any and a firewall rule all all in the fortigate.

I don't know what blocks that.

Moreover I see something strange I have virtual-access 1 configured on the cisco and when I traceroute to the ip interface of the fortigate, the packet use this interface and IP to go out... What is virtual-access 1? automatically created with the tunnel?

I try to put a new ACL in the crypto map I can't do it is it normal?

Is it necessary to put the cisco fastethernet0 with behind my server in the tunnel? like the dialer0?

Is it necessary to route the traffic to the tunnel? It is not automatically done?

Could you explain me what is necessary in order to allow communications between private network behind the 2 routers?
Thanks

Alexaaa

11 REPLIES
Cisco Employee

Re: VPN cisco 800 series Fortigate

Can you share the configuration on the 877 router?

One thing that you might want to check is that you have configured NAT exemption for traffic between the 877 LAN and Fortiget LAN that matches to your crypto ACL.

New Member

Re: VPN cisco 800 series Fortigate

Thanks for your reply.

For the NAT exemption I don't think I have done that. How can I check that? I saw that

sysopt connection permit-ipsec but unable to use it in the 877.

configuration 877:
X.X.X.X is the IP of fortigate
Y.Y.Y.Y is the IP of cisco
10.41.2.32 is the private network behind the fortigate
192.168.252.0 is the private network behind the cisco I use the vlan2


IPSEC#show run
Building configuration...

Current configuration : 3247 bytes
!
! Last configuration change at 15:04:30 CEDT Wed Jun 23 2010
! NVRAM config last updated at 11:13:54 CEDT Wed Jun 23 2010
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname IPSEC
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
enable secret 5 xxcU.
!
no aaa new-model
clock timezone GMT 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.254.0 192.168.254.99
ip dhcp excluded-address 192.168.254.128 192.168.254.255
!
ip dhcp pool DHCP
   network 192.168.254.0 255.255.255.0
   default-router 192.168.254.254
   dns-server A.A.A.A B.B.B.B
!
!
no ip domain lookup
ip name-server A.A.A.A
ip name-server B.B.B.B
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ciscokey address X.X.X.X
!
!
crypto ipsec transform-set vpntest esp-aes 256 esp-sha-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer X.X.X.X
set transform-set vpntest
match address 101
!
archive
log config
  hidekeys
!
!
!
track 1 ip route Y.Y.Y.Y 255.255.255.255 reachability
delay down 1 up 60
!
!
!
interface Tunnel0
ip address 2.2.2.1 255.255.255.252
tunnel source Dialer0
tunnel destination X.X.X.X
!
interface ATM0
bandwidth 320
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
mtu 1492
bandwidth 160
pvc 8/35
  vbr-nrt 160 160
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
ip address 192.168.20.253 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Vlan2
ip address 192.168.252.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
bandwidth 128
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
keepalive 1 2
ppp authentication chap callin
ppp chap hostname xxx@aa.aaa.com
ppp chap password 7
crypto map myvpn
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.41.2.32 255.255.255.240 Tunnel0
!
no ip http server
no ip http secure-server
ip dns server
ip nat translation tcp-timeout 5400
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list standard DIFFUSION
permit 0.0.0.0
deny   any
!
access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
snmp-server community public RO
snmp-server community An3 RW 99
snmp-server community a RO
snmp-server community aCommunityRead RO
no cdp run
!
!
!
control-plane
!
!
line con 0
password 7 0502080824424B1B1000
login
no modem enable
line aux 0
line vty 0 4
password 7 0945400E1C0B12000209
login
escape-character 5
!
scheduler max-task-time 5000
ntp clock-period 17175036
ntp server B.B.B.B
ntp server A.A.A.A
end

Re: VPN cisco 800 series Fortigate

Hello.

First of all I do not see the ACL called NAT

ip nat inside source list NAT interface Dialer0 overload

In that ACL you should have FIRST a deny from your local LAN to the remote LAN ...then the traffic that you want to NAT for internet access.

Create it

ip access-list ext  NAT

deny ip 192.168.252.0 0.0.0.255 10.41.2.32
permit ip any any

If you are using IPSEC for that tunnel go ahead and use an Ipsec profile it's easier and faster.

Disable and eliminate the crypto map that you have created.

then add

Crypto ipsec profile NAME

set transform vpntest

interface Tunnel0
 tunnel protection ipsec profile NAME

You wont need the ACL for the interesting traffic the route....  ip route 10.41.2.32 255.255.255.240 Tunnel0   will do that for you.

ip route 10.41.2.32 255.255.255.240 Tunnel0

If you do not want to use the ipsec profile then add the crypto map to the tunnel00 as well and do the NAT exemption.

The nat exemption have to be created if you use crypto map OR an ipsec profile.

New Member

Re: VPN cisco 800 series Fortigate

Thanks for your reply!

the ip access-list ext  NAT is OK.
For the moment I don't want to use ipsec profile. Maybe I will try later.

I add my crypto map to the tunnel 0.

Now I have to create the NAT exemption but I am not sure of what is necessary?

I have to create a new ACL? with inside something like nat (fastethernet0 or vlan2?) 0 access-list [ACL-name]

I need this in two ways? from cisco to forti and vice versa?

Thanks or your help.
Alexaaa

Re: VPN cisco 800 series Fortigate

Hello

If your fortigate is doing NATs then yes. The ACL es from your local LAN to the remote LAN

Re: VPN cisco 800 series Fortigate

Alex if you are going to use the crypto map you will have to add in the ACL of the interesting traffic a line for GRE traffic NOT for the hosts IP like in a site to site case.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Using crypto maps is not useful for this situation. Using profiles requires only 3 commands

Really try the profile you wont spend ur time. and if you have to add another site to this tunnel in the future you do not have to add all that staff.

New Member

Re: VPN cisco 800 series Fortigate

OK I will try profile tomorow.

But with profile NAT exemption is still necessary?


Thanks

Alexaa

Re: VPN cisco 800 series Fortigate

Yes because you are doing NAT in those devices so a NAT exemption is required.

New Member

Re: VPN cisco 800 series Fortigate

I don't know really what is a NAT exemption I do it with an ACL?

Re: VPN cisco 800 series Fortigate

You have an ACL called NAT right now right? to specify what you want to nat...

add in that ACL some entries and specify that you do not want to nat or include in that ACL trafico from  your local LAN to the remote LAN.

New Member

Re: VPN cisco 800 series Fortigate

I don't want to use GRE because it is not secure that's right?
I just want a site to site VPN.

I don't understand why GRE is necessary with a crypto.
I add this ACL:
ip access-list ext  NAT
deny ip 192.168.252.0 0.0.0.255 10.41.2.32
permit ip any any

but I manage my cisco with its public IP and I lost access to it...
The permit any any result with the lost access to my router via public IP... I don't think it is necessary because implicite rule is deny any any...

So now I have this ACL:

ip access-list ext  NAT
deny ip 192.168.252.0 0.0.0.255 10.41.2.32

I can ping 10.41.2.X from my cisco !!!

I can ping 192.168.252.1 from my forti!

Still a trouble I can't ping the server behind the cisco with IP 192.168.252.2... From the cisco I can ping it but from forti and server behind the forti I issue a timeout... Is it necessary to add a new acl for traffic from 10.41.2.36 to 192.168.252.0?

Thanks

1800
Views
0
Helpful
11
Replies
CreatePlease to create content