Skip to main content
flodnar31
flodnar31
New Member
July 21, 2016
Question

Fortigate 60C connects to Cisco ASA as remote access VPN Client

  • July 21, 2016
  • 1 reply
  • 6002 views

Hi Guys

 

Can you give me a hand on this. I'm going to configure Fortigate (FortiWiFi 60C) to act as a remote-access VPN Client to Cisco ASA. How can I accomplish this. I'm new at Configuring Fortinet. Also we need to build Two Remote-access to 2 different locations. The first RA-VPN will pass to the WAN1 interface and the other RA-VPN will pass to the WAN2 interface. Please see topology below.

 

 

                                                                  ******  REMOTE-ACCESS VPN********

[FortiWifi 60C] WAN1------------[DSL Modem]-------->(((   INTERNET   )))-------------> [Cisco ASA 5520 BRANCH1]

              WAN2----------------- [DSL Modem]-------->(((   INTERNET   )))-------------> [Cisco ASA 5520 BRANCH2]

        

*fortiwifi WAN1 and WAN2 Interfaces is connected  to only 1 DSL Modem going to the internet     

 

 

Thanks in advance... :)

    1 reply

    MikePruett
    MikePruett
    New Member
    July 22, 2016

    I would personally just build two IPSec tunnels.....on each WAN connection. (1 to each branch) and then let them provide fail over for one another. Either way, IPSec between the sites should be easy enough and reliable.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 22, 2016

    Some obstacles ahead:

    - if you have control over the ASA's setup, configure site-to-site VPNs

    - if not, on the FGT create "dial-up" VPNs, simulating a FortiClient.

    Depending on the firmware version on the FGT, the VPN wizards will help you. The key point here is that IIRC Cisco provides the VPN settings for clients when they connect, called "mode-config". You'll have to get that into the config, via CLI if needed.

     

    Dual WAN: this will depend on your routes. There should only be one default route, or one with higher priority. I'm sure you'll find plenty of examples here in the forums, or on Fortinet's site cookbook.fortinet.com .

    flodnar31
    flodnar31Author
    New Member
    July 28, 2016

    Thanks for the reply.

     

    Is it possible to have same Phase 2 for the separate IPSEC Tunnel for both WAN1 and WAN2.

     

    e.g.

     

    WAN1 = Local1 ----------> to Branch1

    WAN2 = Local1 ----------> to Branch2

     

     

    Terms & ConditionsAccessibility statement