the above to me is a clue that the Cisco may not have a static route in place to send the traffic back to the FGT.

A good guess, but unlike fortigate/srx, their' s no such thing as a route-base vpn in cisco ASA

i complete all of these steps and reconfirmed them all. VPN tunnel is up but traffic is no passing through on Fortigate i can see outgoing traffic but found request time out on p.c connected to fortigate, and i see decrypted/incoming packets on CISCO PIX using show crypto ipsec sa commend but no outgoing traffic.

OP, Your on the right track but you will need to validate the following; 1: is the crypto map acl defined for traffic to be encrypted 2: do have no-nat controls to control NAT of traffic from cisco >>>> fortigate 3: are you using specific proxy-id x.x.x./x and not the 0.0.0.0/0:0 on the fortigate 4: and for the route, make sure you don' t have any other routes in the routing table that overlaps or conflicts with the destination subnet ( issue a cli cmd show route, and review ) 5: lastly, are you 100% sure you don' t have any interface access-groups " that' s not preventing traffic from the remote subnet ( cisco ) to the local-subnet on the fortigate ? If you can kindly provide the cisco PIX configuration, I will review it for you. show run | incl crypto-map or show run crypto map show run | incl access-list ( the one you have defined in the crypto-map ) show run | incl nat ( just give me NATs for the interface(s) of where the traffic goes ) or show run nat Your cisco config would look something like this ( cisco ASA 9.1.4 but similar to PIX ) access-list EXTERNAL02_cryptomap extended permit ip 10.200.218.0 255.255.254.0 10.200.110.0 255.255.254.0 crypto map EXTERNAL01_map0 1 match address EXTERNAL01_cryptomap crypto map EXTERNAL01_map0 1 set peer 192.0.2.1 crypto map EXTERNAL01_map0 1 set ikev1 transform-set ESP-AES-128-SHA crypto map EXTERNAL01_map0 interface EXTERNAL01 crypto ikev1 enable EXTERNAL01 crypto ipsec security-association pmtu-aging infinite Your configuration should be a close matched, but that level of pix code which is quite old and I haven' t touch a pix in probably 6+ years plus. fwiw: if you have the packet-tracer ( I doubt it, it should be in 7.1 code .....but I' m too lazy to validate for that pix version) that would be helpful for diagnostics. packet-tracer input <nameif-here> udp <cisco source_lan_address/32-here> <portnumber> < remote fortigate address> <port number>

This is a lab scenario i am testing which later i have to apply on a customer site. I have a ACL on cisco : permit ip (source ip n mask ) (dst ip n mask) and nat is applied :nat(inside) 0 access list 100(my abve acl number) and having this static route :route outside 0.0.0.0 0.0.0.0 192.168.1.112 1 (1.112 is my ext hop ip address) :sysopt connection permit-ipsec following transform set is used as defined in Fortine' s guides :crypto ipsec transform-set one esp-3des esp-sha-hmac this crypto map is used :crypto map test-map 1 ipsec-isakmp :crypto map test-map 1 match address 150 :crypto map test-map 1 set peer 192.168.1.112 :crypto map test-map 1 set transform-set one :crypto map test-map 1 set security-association lifetime seconds 86400 kilobytes 4608000 ACL no 150 is :permit ip any(source) any(destination) ::: NOTE 192.168.1.112 is also my next peer ip here for testing purpose i have created a point to point connectivity Fortigate end having 192.168.1.112 ip and PIX having 192.168.1.111 ip. Crypto map is applied on outside interface on PIX. isakmp is enabled on outside interface. And this is the policy i have created for PIX :isakmp policy 1 authentication pre-share :isakmp policy 1 encryption 3des :isakmp policy 1 hash sha :isakmp policy 1 group 2 :isakmp policy 1 lifetime 86400 This is the complete example configuration defined in above Fortinet techinical note, and same pre-defined configuration is on Fortigate unit (as described in that note). So what do you all think where is the problem ??? i think it' s the nat on cisco i am no disabling nat on cisco to check this. If this work' s i will inform you if no will wait for your sugesstions. Thanks & Regards, Saqib Zafar

I have natinbound and natoutbound disable on fortigate in it' s policy. and on PIX ihave also disabled : nat (inside) 0 access-list 100 to : no nat (inside) and in begining no proxy ip' s were used on Fortigate and now i have enabled proxy source and destination on Fortigate and on cisco i have used and ACL permiting Source on PIX and Destination ip of FortiGate and applied in my crypto map but still no result.

If this is a lab, why can' t you just post the acl in full for clarity? It be more clear. This ACl 150; :permit ip any(source) any(destination) should be written to be subnet specific ( from<>to ); e.g access-list 150 permit 1.0.0.0 255.255.255.0 2.0.0.0 255.255.255.0 fwiw: I like adding the reverse-directions in the ACL but it' s not required, just make sure you have the proper source on the local and remote sides Outside of the ACL and that you have & the no nat or your nat 0, it looks good. But I wondering about your fortigate cfg now. You stated packets from FGT>>>>>to>>>>PIX where arriving and you validated this via the show crypto ipsec sa command . And now packets from the PIX >>>>>>to>>>>>FGT are not ? is that all correct ? Do you see matches on your ACL -150 entries? I would suggest you ensure that pfs is not enabled for phase2 on the FGT. I would also suggest you used my howto trouble shoot vpn fgt blog post http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html This and the various diag commands within that above link, will provide tons of phase1/2 diagnostics.

I am posting complete device configuration of CISCO PIX PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname TEST fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 10.19.10.0 255.255.255.0 10.10.3.0 255.255.255.0 access-list 150 permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.111 255.255.255.0 ip address inside 10.19.10.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 access-group 150 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.112 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set one esp-3des esp-sha-hmac crypto map test-map 1 ipsec-isakmp crypto map test-map 1 match address 150 crypto map test-map 1 set peer 192.168.1.112 crypto map test-map 1 set transform-set one crypto map test-map 1 set security-association lifetime seconds 86400 kilobytes 4608000 crypto map test-map interface outside isakmp enable outside isakmp key ******** address 192.168.1.112 netmask 255.255.255.0 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400

yes i can see outgoing traffic from FGT>>>>>>>>>>>>PIX and on PIX i can see decrypted packets. But no traffic from PIX>>>>>>>>>>>>>>>>FGT. and i see matchng ACL entries on PIX with increasing HITCOUNTS. and also increased outgoing taffic on FGT. I have bot kinds of ACL as you can see acl 100 and 150. I look forward to the link you provided me. Thanks and Cheers.

access-list 100 permit ip 10.19.10.0 255.255.255.0 10.10.3.0 255.255.255.0 access-list 150 permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.111 255.255.255.0 ip address inside 10.19.10.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 access-group 150 in interface outside

Okay a few things I would like to point out based on the cfg; 1: the ACL any any on the outside interface is something you WILL NOT do in real life ( I' m assuming you did this as a test ....please say yes ). That would be not a good thing :) 2: what you need to do is using ACL 100 for the crypto-map match the specific network(s) for source/destination Do something like the following; access-list 100 permit ip 10.19.10.0 255.255.255.0 10.10.3.0 255.255.255.0 sysopt connection permit-ipsec no crypto map test-map 1 match address 150 crypto map test-map 1 match address 100 You can' t use a proxy-id of 0.0.0.0/0:0 as what you can with a JuniperSRX and FortinetFGT. 3: We need to know how the FGTphase2-interface was configured on your fortigate ( please say you did a interface vpn ? do show vpn ipsec phase1-interface <name of vpn phase1> and show vpn ipsec phase2-interface <name of vpn phase2> 4: ensure the proxy-ids are build in a exact mirror as what your presenting via the PIX as mention earlier. This true for ciscoPIX/ASA/ROUTER, checkpoint, and vyatta, or open/strong-swan,etc........ Generally it' s a good practice overall to defined specific proxy-ids for the src/dst subnets imho for ALL vpn terminations. ( for your phase2-interface configurations fortigate ) Ensure you have the following; set dst-subnet 10.19.10.0 255.255.255.0 set src-subnett 10.10.3.0 255.255.255.0 5: ensure you have a static route on firewall ( FGT ) pointed to the cisco PIX LAN of 10.19.10.0/24 and using the named phase1 interface name that you defined earlier. 6: disable PFS from the phase2-interface setiings and limited the proposal to ESP-SHA-Dh-grp2, for your setup 7: lastly ensure fwpolicies are correct for the interfaces in/out * out/in For diagnostics, review all diag vpn phase1 and 2 tunnel status/counters e.g diag vpn ike gateway list name <name here phase1 name> diag vpn tunnel list name <name_here phase2 name> ( see attached link for t-shooting site2site vpns Fortigate ) show crypto ipsec sa show crypto ike sa show access-list These commands are your friends with regards to the ASA. Bottom correct the ACL to be something in the shape of example that was give earlier. Your problem start with the choice of any any. You want to mirror the opposite direction which is not really required you would have two entries # access-list 100 permit ip 10.19.10.0 255.255.255.0 10.10.3.0 255.255.255.0 # access-list 100 permit ip 10.10.3.0 255.255.255.0 10.19.10.0 255.255.255.0 # And finally, clear the vpn sessions after you make major changes to the new IKE+IPSEC SAs are rebuilt e.g diag vpn ike gateway clear name < phase 1 name here > diag vpn tunnel reset " namehere "

1- this is a test scenarion. I will never implement this kind of ACL' s 2- Beofre pasting this configuration i was using this ACL 100 with crypto map. 3-That one is a tunnel VPN not interface. as described in fortinet techinical note to uncheck ipsec interface mode. 4- proxy-id' s are mirror of PIX on FortiGate. 5- Man this is a policy VPN ryt not a route based. coz as u said about route for VPN phase-1 it is defined in route based VPN configuration. 6- PFS is disabled in phase-2. &- there is only one policy for ACTION IPSEC in>>>>out. I will review this policy issue on Fortigate but i think this issue is from PIX coz it' s decrypting packets but not resending by encrypting it ???? What u say ???