Skip to main content
Shander
Shander
New Member
August 24, 2012
Question

IPSec VPN betweeen Cisco ASA and Fortigate

  • August 24, 2012
  • 4 replies
  • 7553 views
Hi, I try to create IPSec VPN between Fortigate and Cisco ASA. the tunnel is success up but PC behind Fortigate can' t ping over both PC behind Cisco and Cisco ASA internal device IP. Any PC behind Cisco ASA device can ping Fortigate internal IP and PC behind Fortigate. I have follow the guild given at Fortinet Knowledge Base (but is old firmware and not ASA) can' t success. I here attach the LAB testing. if any one got implement it and success to solve it. please guild me how to over solve it. Fortigate Firmware version 4 MR2 with Cisco ASA Firmware 8.2.1 Thank

    4 replies

    Shander
    ShanderAuthor
    New Member
    August 24, 2012
    Hi, Additional data for all of you for R&D... hope got any body can help to solve it...
    Shander
    ShanderAuthor
    New Member
    August 24, 2012
    Hi, this is Fortigate configuration file... thank
    emnoc
    emnoc
    New Member
    August 24, 2012
    Fortigate Firmware version 4 MR2 with Cisco ASA Firmware 8.2.1 Thank
    1st off your digram and cfgs where a big help. 2nd why do you have vpn define as both a phase1/2 and phase1/2-interface? 3rd, I think you problems resides around the set nat enabled on the firewall policys at the FGT side. You don' t need this enabled. I would do the following ; delete these edit 2 set srcintf " internal" set dstintf " wan1" set srcaddr " Local_LAN" set dstaddr " Remote_LAN" set action ipsec set status disable set schedule " always" set service " ANY" set logtraffic enable set inbound enable set outbound enable set vpntunnel " FGTtoASA" and then I would stay with interface and route-mode vpn, so delete this; config vpn ipsec phase1 edit " FGTtoASA" set interface " wan1" set keylife 86400 set proposal 3des-sha1 set dpd disable set remote-gw 192.168.0.6 set psksecret ENC oeX+CO11kI1yYtnP2dzvZwSGdNbXQvg1hxf1h0CqalxBn1U0mwBSrkLk1Ifc9pfCWb2o4eFcK6vEpa8vZu176oEXaBIEaFTmdK9T+0FAyh8ci+sf next end config vpn ipsec phase2 edit " FGTtoASA2" set dst-addr-type name set keepalive enable set phase1name " FGTtoASA" set proposal 3des-sha1 set replay disable set src-addr-type name set dst-name " Remote_LAN" set keylifeseconds 28800 set src-name " Local_LAN" next end next I would clean up the other firewall policies; edit 3 set srcintf " internal" set dstintf " FGTtoASA_IN" set srcaddr " Local_LAN" set dstaddr " Remote_LAN" set action accept set schedule " always" set service " ANY" set logtraffic enable unset nat enable next edit 4 set srcintf " FGTtoASA_IN" set dstintf " internal" set srcaddr " Remote_LAN" set dstaddr " Local_LAN" set action accept set schedule " always" set service " ANY" set logtraffic enable unset nat enable next That would clean up he FGT side of things. On the cisco side it looks okay but I don' t think Name and using 60.0.0.0 and 50.0.0.0 is going to work. You should use the proper group-object Something like this; object-group Local_LAN network-object 60.0.0.0 mask 255.255.255.0 object-group Remote_LAN network-object 50.0.0.0 mask 255.255.255.0 Outside of the above, that would clean up things.
    forthright
    forthright
    New Member
    December 23, 2020

    Do you have rules allowing traffic in both directions? You need to have firewall rules that allow traffic from Cisco side to Fortigate side, and then from Fortigate side to Cisco side. Also, ensure NAT is disabled in your rules.

    Terms & ConditionsAccessibility statement