FTG-ASA site2site all traffic & NAT

sub_zero · ‎06-05-2014

Hi all, I have the following scenario: 13 branches and 1 headquarter. To the branches are Cisco ASA 5510 at the headquarter Fortigate 100D. The branches are connected with the headquarter classical IPsec site2site tunnels. Now, we need get all traffic from the branches over the IPsec tunnel to the headquarter and apply Fortigate web-filtering. So central access to the Internet... So I put together and test in our lab and, unfortunately, it' s not working. The tunnel is up and connected, but traffic does not pass. ASA cfg: Interface Ethernet0/0 nameif WAN security-level 0 ip address 62.209.xxx.xxx 255.255.255.128 ! interface Ethernet0/1 nameif LAN security-level 100 ip address 172.17.14.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive same-security-traffic permit intra-interface access-list WAN_access_in extended permit icmp any any access-list WAN_access_in extended permit ip any any inactive access-list LAN_access_in extended permit icmp any any access-list LAN_access_in extended permit ip any any access-list LAN_nat0_outbound extended permit ip 172.17.14.0 255.255.255.0 any access-list WAN_1_cryptomap extended permit ip 172.17.14.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu WAN 1500 mtu LAN 1500 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (WAN) 1 interface nat (LAN) 0 access-list LAN_nat0_outbound nat (LAN) 1 172.17.14.0 255.255.255.0 access-group WAN_access_in in interface WAN access-group LAN_access_in in interface LAN route WAN 0.0.0.0 0.0.0.0 62.209.xxx.x timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http server session-timeout 60 http 192.168.1.0 255.255.255.0 management http 0.0.0.0 0.0.0.0 LAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 1 set peer xxx.xxx.xxx.xxx crypto map WAN_map 1 set transform-set ESP-AES-192-SHA crypto map WAN_map interface WAN crypto isakmp enable WAN crypto isakmp policy 10 authentication pre-share encryption aes-192 hash sha group 5 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 WAN ssh 0.0.0.0 0.0.0.0 LAN ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx ipsec-attributes pre-shared-key ********** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:92a7f3d34807b96126cf0b893ee57bfe : end ciscoasa# and FTG cfg: v5.0,build4429 edit " Test_Lan_Soft" set interface " INET" set nattraversal disable set proposal aes192-sha1 set remote-gw 62.209.xxx.xxx edit " Test_Lan_Soft_phase2" set auto-negotiate enable set keepalive enable set phase1name " Test_Lan_Soft" set proposal aes192-sha1 set dhgrp 2 set dst-subnet 172.17.14.0 255.255.255.0 edit 16 set srcintf " Test_Lan_Soft" set dstintf " any" set srcaddr " TestLAN SigmaSoft" set dstaddr " all" set action accept set schedule " always" set service " ALL" edit 17 set srcintf " any" set dstintf " Test_Lan_Soft" set srcaddr " all" set dstaddr " TestLAN SigmaSoft" set action accept set schedule " always" set service " ALL" Is it possible to make it work this way? I tested it a long time ago between two ASA and it worked correctly. It would also be ideal if you could manage to make even a branch to communicate with another branch. Thank you od any help and sorry my english :( Regards, George

rwpatterson · ‎06-06-2014

Welcome to the forums. It may be in your best interest to place the branch offices into a zone. Using a zone, you can have all the members filtered and treated equally. Additionally, with a check box you can turn on inter member communications as well. The zone would then be used as the endpoint in a policy to the Internet.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc · ‎06-09-2014

From what I can see, you don' t have a route to the client spoke LAN { 172.17.14.0 255.255.255.0 } but you will have to share more of your configuration 2nd, diag debug flow is your friend for the FGT 3rd, packet-tracer is your friend for the ASA Lastly, you can use the follow blog for t-shooting l2l vpns http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

PCNSE

NSE

StrongSwan