ORIGINAL: Saqib Zafar ...i can see outgoing traffic but found request time out on p.c connected to fortigate, and i see decrypted/incoming packets on CISCO PIX using show crypto ipsec sa commend but no outgoing traffic...Without any deep debugging, the above to me is a clue that the Cisco may not have a static route in place to send the traffic back to the FGT.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
the above to me is a clue that the Cisco may not have a static route in place to send the traffic back to the FGT.A good guess, but unlike fortigate/srx, their' s no such thing as a route-base vpn in cisco ASA
i complete all of these steps and reconfirmed them all. VPN tunnel is up but traffic is no passing through on Fortigate i can see outgoing traffic but found request time out on p.c connected to fortigate, and i see decrypted/incoming packets on CISCO PIX using show crypto ipsec sa commend but no outgoing traffic.OP, Your on the right track but you will need to validate the following; 1: is the crypto map acl defined for traffic to be encrypted 2: do have no-nat controls to control NAT of traffic from cisco >>>> fortigate 3: are you using specific proxy-id x.x.x./x and not the 0.0.0.0/0:0 on the fortigate 4: and for the route, make sure you don' t have any other routes in the routing table that overlaps or conflicts with the destination subnet ( issue a cli cmd show route, and review ) 5: lastly, are you 100% sure you don' t have any interface access-groups " that' s not preventing traffic from the remote subnet ( cisco ) to the local-subnet on the fortigate ? If you can kindly provide the cisco PIX configuration, I will review it for you. show run | incl crypto-map or show run crypto map show run | incl access-list ( the one you have defined in the crypto-map ) show run | incl nat ( just give me NATs for the interface(s) of where the traffic goes ) or show run nat Your cisco config would look something like this ( cisco ASA 9.1.4 but similar to PIX ) access-list EXTERNAL02_cryptomap extended permit ip 10.200.218.0 255.255.254.0 10.200.110.0 255.255.254.0 crypto map EXTERNAL01_map0 1 match address EXTERNAL01_cryptomap crypto map EXTERNAL01_map0 1 set peer 192.0.2.1 crypto map EXTERNAL01_map0 1 set ikev1 transform-set ESP-AES-128-SHA crypto map EXTERNAL01_map0 interface EXTERNAL01 crypto ikev1 enable EXTERNAL01 crypto ipsec security-association pmtu-aging infinite Your configuration should be a close matched, but that level of pix code which is quite old and I haven' t touch a pix in probably 6+ years plus. fwiw: if you have the packet-tracer ( I doubt it, it should be in 7.1 code .....but I' m too lazy to validate for that pix version) that would be helpful for diagnostics. packet-tracer input <nameif-here> udp <cisco source_lan_address/32-here> <portnumber> < remote fortigate address> <port number>
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
access-list 100 permit ip 10.19.10.0 255.255.255.0 10.10.3.0 255.255.255.0 access-list 150 permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.111 255.255.255.0 ip address inside 10.19.10.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 access-group 150 in interface outsideOkay a few things I would like to point out based on the cfg; 1: the ACL any any on the outside interface is something you WILL NOT do in real life ( I' m assuming you did this as a test ....please say yes ). That would be not a good thing :) 2: what you need to do is using ACL 100 for the crypto-map match the specific network(s) for source/destination Do something like the following; access-list 100 permit ip 10.19.10.0 255.255.255.0 10.10.3.0 255.255.255.0 sysopt connection permit-ipsec no crypto map test-map 1 match address 150 crypto map test-map 1 match address 100 You can' t use a proxy-id of 0.0.0.0/0:0 as what you can with a JuniperSRX and FortinetFGT. 3: We need to know how the FGTphase2-interface was configured on your fortigate ( please say you did a interface vpn ? do show vpn ipsec phase1-interface <name of vpn phase1> and show vpn ipsec phase2-interface <name of vpn phase2> 4: ensure the proxy-ids are build in a exact mirror as what your presenting via the PIX as mention earlier. This true for ciscoPIX/ASA/ROUTER, checkpoint, and vyatta, or open/strong-swan,etc........ Generally it' s a good practice overall to defined specific proxy-ids for the src/dst subnets imho for ALL vpn terminations. ( for your phase2-interface configurations fortigate ) Ensure you have the following; set dst-subnet 10.19.10.0 255.255.255.0 set src-subnett 10.10.3.0 255.255.255.0 5: ensure you have a static route on firewall ( FGT ) pointed to the cisco PIX LAN of 10.19.10.0/24 and using the named phase1 interface name that you defined earlier. 6: disable PFS from the phase2-interface setiings and limited the proposal to ESP-SHA-Dh-grp2, for your setup 7: lastly ensure fwpolicies are correct for the interfaces in/out * out/in For diagnostics, review all diag vpn phase1 and 2 tunnel status/counters e.g diag vpn ike gateway list name <name here phase1 name> diag vpn tunnel list name <name_here phase2 name> ( see attached link for t-shooting site2site vpns Fortigate ) show crypto ipsec sa show crypto ike sa show access-list These commands are your friends with regards to the ASA. Bottom correct the ACL to be something in the shape of example that was give earlier. Your problem start with the choice of any any. You want to mirror the opposite direction which is not really required you would have two entries # access-list 100 permit ip 10.19.10.0 255.255.255.0 10.10.3.0 255.255.255.0 # access-list 100 permit ip 10.10.3.0 255.255.255.0 10.19.10.0 255.255.255.0 # And finally, clear the vpn sessions after you make major changes to the new IKE+IPSEC SAs are rebuilt e.g diag vpn ike gateway clear name < phase 1 name here > diag vpn tunnel reset " namehere "
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.