Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PDG
New Contributor

Cisco and FGT

Hello, I' ve got a problem between a FGT60B (running v4 MR2 P2) and a Cisco 3825 v12.41A. The VPN ist established. The network behind the Cisco should reach a Webserver behind the FGT. ICMP works fine in both directions. But the network behind the Cisco can' t reach the Webserver (or anything else - i.e. FTP). In the session list I can see the incoming packet with the policy. The webserver behind the FGT don' t even log the try of the network behind the Cisco. I' ve tried the same setup with another Fortigate and it works. It' s strange - I can see the packet in the session list, but not in the webserver. Setup: - Interface Mode - Route is defiened (remote network via VPN interface) - Policy between internal and VPN interface - everthying allowed (nothing else activated - no NAT, no AV, no IPS, no UTM .... ) - Same settings in the other direction. - NAT traversel ist active in VPN P1 Got somebody similar problems with a Cisco? Do I have to change some settings in the FGT? Best regards, Patrick
2 REPLIES 2
ede_pfau
Esteemed Contributor III

Hi, 2 suggestions: - set the source and destination addresses in the policies to ALL - look at the packets arriving on the tunnel end at the FG For that, open the CLI (console window) and type diag sniffer packet myTunnel icmp 4 where myTunnel is the name of the phase1. Then start a ping on the Cisco side and post what you get.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
PDG
New Contributor

thx - the diag sniffer helped a lot. The Cisco didn' t respond to the ACK. It works, if on the Cisco side incoming packets are allowed. But for security it should only work in one direction (Cisco network can access to the webserver on the fortinet). They' re looking how they could handle it. Best Regards, Patrick btw. - we' re neighbours - Mannheim-Heidelberg