Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CAD
Contributor

how can allow this connection

Hello everyone,

i want allow connection from internet to one particular machine in my network through "Cisco AnyConnect Client"

below ports it require to allow this connection how can i open it:

 

Protocol
Cisco AnyConnect Client Port

TLS (SSL)

TCP 443

SSL Redirection

TCP 80

DTLS

UDP 443 

IPsec/IKEv2

UDP 500, UDP 4500

Protocol
Cisco VPN Client (IPsec) Port

IPsec/NATT

UDP 500, UDP 4500

IPsec/NATT

UDP 500, UDP 4500

IPsec/TCP

TCP 

IPsec/UDP

UDP 500, UDP X

i have allow connection as below please correct me :

Incoming interface(wan)------------>Source(all)----->outgoing interface(lan)--->destination address( machine IP) --service(http,https) , i did not find another ports , should i created or waht? please advise me.

 

thanks

6 REPLIES 6
CAD
Contributor

another Word, how to configure Cisco VPN through Fortigate. 

 

we are running firmware 5.2.8 ,is this support my request.

 

please help me to do that.

 

Thanks 

CAD
Contributor

Please check my configuration and advise me accordingly:

i am already create rule ( Status for the channel shown inactive. 

 

FG200D (CIIPSec) # show full config vpn ipsec phase1-interface edit "CIIPSec" set type dynamic set interface "internet" set ip-version 4 set ike-version 1 set local-gw 0.0.0.0 set nattraversal enable set keylife 86400 set authmethod psk set mode aggressive set peertype any set mode-cfg enable set ipv4-wins-server1 0.0.0.0 set ipv4-wins-server2 0.0.0.0 set proposal aes256-md5 aes256-sha1 set add-route enable set localid '' set localid-type auto set negotiate-timeout 30 set fragmentation enable set dpd enable set forticlient-enforcement disable set comments "VPN: Cisco (Created by VPN wizard)" set npu-offload enable set dhgrp 2 set wizard-type dialup-cisco set xauthtype auto set authusrgrp "Cisco-Group" set default-gw 0.0.0.0 set default-gw-priority 0 set assign-ip enable set mode-cfg-ip-version 4 set assign-ip-from range set ipv4-start-ip 192.168.10.1 set ipv4-end-ip 192.168.10.20 set ipv4-netmask 255.255.255.0 set dns-mode auto set ipv4-split-include '' set split-include-service '' set unity-support enable set domain '' set banner '' set include-local-lan disable set save-password disable set client-auto-negotiate disable set client-keep-alive disable set psksecret ENC ************** set keepalive 10 set distance 15 set priority 0 set dpd-retrycount 3 set dpd-retryinterval 5 set xauthexpire on-disconnect next end

CAD
Contributor

FG200D(CIIPSec2) # show full-configuration config vpn ipsec phase2-interface edit "CIIPSec2" set phase1name "CIIPSec" set proposal aes128-sha1 set pfs enable set dhgrp 2 set replay enable set keepalive disable set add-route phase1 set keylife-type seconds set single-source disable set route-overlap use-new set encapsulation tunnel-mode set comments '' set protocol 0 set src-addr-type subnet set src-port 0 set dst-addr-type subnet set dst-port 0 set keylifeseconds 43200 set src-subnet 0.0.0.0 0.0.0.0 set dst-subnet 0.0.0.0 0.0.0.0 next end

CAD
Contributor

I NEED YOUR HELP!!!!!

MikePruett
Valued Contributor

Have you run through the FortiGate IPSec wizard? One of it's options covers cisco end user to Fortigate. That may be able to get you situated.

 

Otherwise you just need to create a dialup tunnel where your Gate is the endpoint and dialup users (non static IPs) can connect in. Everything else is standard Phase 1 / Phase 2 config from that point on.

 

 

EDIT: Just reviewed your config above and see that you did in fact run the wizard so my bad on that.

Mike Pruett Fortinet GURU | Fortinet Training Videos
CAD

I have deleted old configuration for IPSEC , because i am not able to connect .

 

can you please guide me to configure it correctly with Phase1 ,phase2 , i have follow topic on the below link , i did same but got "wrong credential" 

"http://cookbook.fortinet.com/ipsec-vpn-forticlient" 

Note: i have vlans switch, we need to configure IPSEC VPN for specific vlan

 

Thanks

 

Labels
Top Kudoed Authors