cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1144
Views
0
Helpful
7
Replies

Issue IPsec ASA to Fortigate

antoniuszoan
Level 1
Level 1

I have Cisco ASA 5516 and i want to connect fortigate via IPsec . Its done but i can ping from my local to remote, and remote to local. Maybe someone to help me solve this issue.

This is my Config on ASA

 

 

sh crypto ipsec sa peer xx.xx.xx.xx
peer address: xx.xx.xx.xx
Crypto map tag: outside_map, seq num: 1, local addr: xx.xx.xx.xx

access-list outside_cryptomap extended permit ip xx.xx.xx.xx 255.255.255.0 xx.xx.xx.xx 255.255.255.0
local ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.0/0/0)
current_peer: xx.xx.xx.xx


#pkts encaps: 1184, #pkts encrypt: 1184, #pkts digest: 1184
#pkts decaps: 1175, #pkts decrypt: 1175, #pkts verify: 1175
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1184, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: xx.xx.xx.xx/0, remote crypto endpt.: xx.xx.xx.xx/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 25907DEB
current inbound spi : C0FDC906

inbound esp sas:
spi: 0xC0FDC906 (3237857542)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 202170368, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373930/27576)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x25907DEB (630226411)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 202170368, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373930/27575)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

Fortigate was allow all traffic from my local.

Thanks a lot

7 Replies 7

Oleg Volkov
Spotlight
Spotlight

Hi!

Do You use NAT on Asa ?

if You have dynamic map for inside traffic to outside, You must add twice NAT for encrypted traffic, inside source to inside source , remote destination to remote destination.

Also check counters in sh crypto IPSec, do you see any changes on encrypt / decrypt.

also check sysopt vpn connection on ASA.

and do packet tracer inside icmp with inside PC address and remote PC address.

sorry but I write from phone and can not add examples.

i can do it slightly later 

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog


@Oleg Volkov wrote:

Hi!

Do You use NAT on Asa ?

if You have dynamic map for inside traffic to outside, You must add twice NAT for encrypted traffic, inside source to inside source , remote destination to remote destination.

Also check counters in sh crypto IPSec, do you see any changes on encrypt / decrypt.

also check sysopt vpn connection on ASA.

and do packet tracer inside icmp with inside PC address and remote PC address.

sorry but I write from phone and can not add examples.

i can do it slightly later 



did u mean i must adding NAT rules?
this is my NAT Rules
1.jpg

FIREWALL# packet-tracer input inside icmp 10.160.40.8 8 0 10.1.128.61 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d08a6b40, priority=1, domain=permit, deny=false
hits=3133866, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 203.171.221.1 using egress ifc outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.128.61/0 to 10.1.128.61/0

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
Static translate 10.160.40.8/0 to 10.160.40.8/0
Forward Flow based lookup yields rule:
in id=0x7fe9d0967dc0, priority=6, domain=nat, deny=false
hits=92, user_data=0x7fe9d094d780, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9cfb2e0a0, priority=0, domain=nat-per-session, deny=true
hits=52373, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d08afce0, priority=0, domain=inspect-ip-options, deny=true
hits=44107, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d08af4f0, priority=66, domain=inspect-icmp-error, deny=false
hits=522, user_data=0x7fe9d08aea60, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fe9cfb41810, priority=70, domain=encrypt, deny=false
hits=92, user_data=0x31d4, cs_id=0x7fe9d127a1e0, reverse, flags=0x0, protocol=0
src ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fe9d0968ac0, priority=6, domain=nat-reverse, deny=false
hits=92, user_data=0x7fe9d094d890, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 24364, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow


FIREWALL# packet-tracer input outside icmp 10.1.128.61 8 0 10.160.40.8

detaile$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d082cf90, priority=1, domain=permit, deny=false
hits=5143872, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.160.44.2 using egress ifc inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.160.40.8/0 to 10.160.40.8/0

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any4 object aksesvpn
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d08108d0, priority=13, domain=permit, deny=false
hits=1923, user_data=0x7fe9c421e100, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.160.40.8, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.128.61/0 to 10.1.128.61/0
Forward Flow based lookup yields rule:
in id=0x7fe9d0968260, priority=6, domain=nat, deny=false
hits=53, user_data=0x7fe9d094d890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9cfb2e0a0, priority=0, domain=nat-per-session, deny=true
hits=52888, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d0835450, priority=0, domain=inspect-ip-options, deny=true
hits=43262, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d102ce80, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=54, user_data=0x7ff57c, cs_id=0x7fe9d127a1e0, reverse, flags=0x0, protocol=0
src ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Seems good.

in show crypto IPSec encrypted/decrypted counters must be increase.

can you check it?

And can you enable debug? Debug icmp trace.

and , if you can, try to ping from network behind fortigate

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

FIREWALL# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 203.171.221.2

access-list outside_cryptomap extended permit ip 10.160.40.0 255.255.255.0 10.1.128.0 255.255.255.0
local ident (addr/mask/prot/port): (10.160.40.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.128.0/255.255.255.0/0/0)
current_peer: 36.66.67.38


#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72

 

I can ping from behind ASA to GW Forti but I cant ping behind asa to behind Forti.

Behind forti cant ping my asa or behind ASA.

 

I use my segment ip server to remote ip on forti. its a problem? or i must use a segment of my inside ip ASA?

Hm...

Can You do bebug icmp trace and try to ping remote server?.

And I do not understad You about this:

I use my segment ip server to remote ip on forti. its a problem? or i must use a segment of my inside ip ASA?

 

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Please move to the firewall community location