I' ve got a problem between a FGT60B (running v4 MR2 P2) and a Cisco 3825 v12.41A.
The VPN ist established. The network behind the Cisco should reach a Webserver behind the FGT. ICMP works fine in both directions. But the network behind the Cisco can' t reach the Webserver (or anything else - i.e. FTP).
In the session list I can see the incoming packet with the policy.
The webserver behind the FGT don' t even log the try of the network behind the Cisco.
I' ve tried the same setup with another Fortigate and it works.
It' s strange - I can see the packet in the session list, but not in the webserver.
- Interface Mode
- Route is defiened (remote network via VPN interface)
- Policy between internal and VPN interface - everthying allowed (nothing else activated - no NAT, no AV, no IPS, no UTM .... )
- Same settings in the other direction.
- NAT traversel ist active in VPN P1
Got somebody similar problems with a Cisco?
Do I have to change some settings in the FGT?
- set the source and destination addresses in the policies to ALL
- look at the packets arriving on the tunnel end at the FG
For that, open the CLI (console window) and type
diag sniffer packet myTunnel icmp 4
where myTunnel is the name of the phase1. Then start a ping on the Cisco side and post what you get.
thx - the diag sniffer helped a lot. The Cisco didn' t respond to the ACK.
It works, if on the Cisco side incoming packets are allowed.
But for security it should only work in one direction (Cisco network can access to the webserver on the fortinet). They' re looking how they could handle it.
btw. - we' re neighbours - Mannheim-Heidelberg
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.