Solved: Re: VPN cisco 877 ping issue

Alex801415 · ‎06-25-2010

Hi all!

I have a working VPN between a fortigate and a Cisco.

I have an issue with pinging network behind the cisco from network behind the forti.

When I ping the cisco vlan2 interface no problem (192.168.252.1), but I can't ping a serveur in vlan2 (192.168.252.2) behind the cisco.

However from the cisco I can ping this server. In the forti I can see that ping to vlan2 interface and server in vlan2 take the same ways and I can see pakets.

I post my config could you see what block the ping from 10.41.2.36 to 192.168.252.2 whereas ping to 192.168.252.1 is OK?

IPSEC#show run
Building configuration...

Current configuration : 3302 bytes
!
! Last configuration change at 14:42:17 CEDT Fri Jun 25 2010
! NVRAM config last updated at 14:42:23 CEDT Fri Jun 25 2010
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname IPSEC
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
enable secret 5 aaaaaaaaa
!
no aaa new-model
clock timezone GMT 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.254.0 192.168.254.99
ip dhcp excluded-address 192.168.254.128 192.168.254.255
!
ip dhcp pool DHCP
   network 192.168.254.0 255.255.255.0
   default-router 192.168.254.254
   dns-server A.A.A.A B.B.B.B
!
!
no ip domain lookup
ip name-server A.A.A.A
ip name-server B.B.B.B
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ciscokey address IP_forti
!
!
crypto ipsec transform-set vpntest esp-aes 256 esp-sha-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer IP_forti
set transform-set vpntest
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
ip address 2.2.2.1 255.255.255.252
tunnel source Dialer0
tunnel destination IP_forti
crypto map myvpn
!
interface ATM0
bandwidth 320
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
mtu 1492
bandwidth 160
pvc 8/35
vbr-nrt 160 160
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
ip address 192.168.20.253 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Vlan2
ip address 192.168.252.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
bandwidth 128
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
keepalive 1 2
ppp authentication chap callin
ppp chap hostname ing@test.one.com
ppp chap password 7 aaaaaa
crypto map myvpn
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.41.2.32 255.255.255.240 Tunnel0
!
no ip http server
no ip http secure-server
ip dns server
ip nat translation tcp-timeout 5400
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list standard DIFFUSION
permit 0.0.0.0
deny   any
!
ip access-list extended NAT
permit ip any host IP_cisco
deny   ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
!
access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
snmp-server community public RO
snmp-server community one3 RW 99
snmp-server community one RO
snmp-server community oneCommunityRead RO
no cdp run
!
!
!
control-plane
!
!
line con 0
password 7 aaaaaa
login
no modem enable
line aux 0
line vty 0 4
password 7 aaaaa
login
escape-character 5
!
scheduler max-task-time 5000
ntp clock-period 17175037
ntp server B.B.B.B
ntp server A.A.A.A

end

Marcin Latosiewicz · ‎06-28-2010

Alex,

This is your GRE tunnel:

interface Tunnel0
ip address 2.2.2.1 255.255.255.252
tunnel source Dialer0
tunnel destination IP_forti
crypto map myvpn

You have also routing set via it.

You do not need a GRE tunnel, nor do you need that route pointing to tunnel if you want plain IPsec tunnel.

View solution in original post

Marcin Latosiewicz · ‎06-28-2010

Alex,

Well GRE over IPsec is a very neat concept gives you more possibilities - like routing multicast or dynamic routing between sites.

Plain IPsec will never do those things...

Marcin

View solution in original post

Marcin Latosiewicz · ‎06-25-2010

If you can ping the router but nothing behind it, have you considered routing as root cause?

Also on another note.

crypto map on tunnel interface is not required in IOS 12.4.

I see that you heve separately GRE and IPsec tunnel. Protect GRE with IPsec you would need to do

access-list 101 permit gre h IP_ADDRSS_OF_DIALER h IP_forti.

Unless you intent to do IPsec over GRE and not GRE over IPsec?

Marcin

Alex801415 · ‎06-27-2010

Routing problem yes but I don't see where. I have to add a route from VLAN2 to tunnel0?

Ok I will take a look at crypto map and remove tunnel interface.

Could you explain me where you see GRE tunnel? It is where I put the IP 2.2.2.2?

Is GRE necessary? I just want an IPSEC tunnel between two site in order to permit secure connexions between several servers.

Tanks

Alexaa

Marcin Latosiewicz · ‎06-28-2010

Alex,

This is your GRE tunnel:

interface Tunnel0
ip address 2.2.2.1 255.255.255.252
tunnel source Dialer0
tunnel destination IP_forti
crypto map myvpn

You have also routing set via it.

You do not need a GRE tunnel, nor do you need that route pointing to tunnel if you want plain IPsec tunnel.

Alex801415 · ‎06-28-2010

OK tanks for your help!

I have deleted the ip route route 10.41.2.32 255.255.255.240 tunnel 0 and it works I can ping server behind the cisco!!!

I will delete GRE tunnel because I don't need it!

Alexaa

Marcin Latosiewicz · ‎06-28-2010

Awesome!

Please put this thread as resolved

Alex801415 · ‎06-28-2010

I made a mix between GRE and IPSEC...

sorry...

Marcin Latosiewicz · ‎06-28-2010

Alex,

Well GRE over IPsec is a very neat concept gives you more possibilities - like routing multicast or dynamic routing between sites.

Plain IPsec will never do those things...

Marcin

Alex801415 · ‎06-28-2010

OK!

What I need now is to SNAT packets from 192.168 and DNAT packets from FM.

Possible without GRE?

Marcin Latosiewicz · ‎06-28-2010

Alex,

How does this relate to IPsec?

What and where do you want to NAT?

Please remember about order of opertaion in regards to NAT:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Marcin

Alex801415 · ‎06-28-2010

I will take a look at your doc!

I want to nat source IP of server behind the cisco when they send packets to network behind FM.

When servers behind Forti send packets to servers behind cisco, packets comes nated I need cisco to Dest NAT to real IP of server behind cisco (it's a virtuel IP address).

Alexaa

Marcin Latosiewicz · ‎06-28-2010

Alexaa,

What is FM?

it looks like what you're trying to do is policy NAT, should not be a problem, you need to define where from/to via ACL or route-map.

Please remember that you nat prior to encapsulation and you decapsulate before nat.

Marcin

P.S.

Note that NAT has a separate forums section!

Alex801415 · ‎06-28-2010

FM is the remote router a fortigate.

I will take a look at policy map.

OK for nat order

Alex801415 · ‎06-28-2010

Another question.

What is Virtual-Access1? Is it necessary to add crypto map on it?
Thanks

Marcin Latosiewicz · ‎06-28-2010

Virtual-access is the actual interface cloned from virtual-templates and dialer interfaces.

Leave the crypto map there.