---

@Oleg Volkov wrote:

Hi!

Do You use NAT on Asa ?

if You have dynamic map for inside traffic to outside, You must add twice NAT for encrypted traffic, inside source to inside source , remote destination to remote destination.

Also check counters in sh crypto IPSec, do you see any changes on encrypt / decrypt.

also check sysopt vpn connection on ASA.

and do packet tracer inside icmp with inside PC address and remote PC address.

sorry but I write from phone and can not add examples.

i can do it slightly later 

---

did u mean i must adding NAT rules?
this is my NAT Rules

FIREWALL# packet-tracer input inside icmp 10.160.40.8 8 0 10.1.128.61 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d08a6b40, priority=1, domain=permit, deny=false
hits=3133866, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 203.171.221.1 using egress ifc outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.128.61/0 to 10.1.128.61/0

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
Static translate 10.160.40.8/0 to 10.160.40.8/0
Forward Flow based lookup yields rule:
in id=0x7fe9d0967dc0, priority=6, domain=nat, deny=false
hits=92, user_data=0x7fe9d094d780, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9cfb2e0a0, priority=0, domain=nat-per-session, deny=true
hits=52373, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d08afce0, priority=0, domain=inspect-ip-options, deny=true
hits=44107, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d08af4f0, priority=66, domain=inspect-icmp-error, deny=false
hits=522, user_data=0x7fe9d08aea60, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fe9cfb41810, priority=70, domain=encrypt, deny=false
hits=92, user_data=0x31d4, cs_id=0x7fe9d127a1e0, reverse, flags=0x0, protocol=0
src ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fe9d0968ac0, priority=6, domain=nat-reverse, deny=false
hits=92, user_data=0x7fe9d094d890, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 24364, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

FIREWALL# packet-tracer input outside icmp 10.1.128.61 8 0 10.160.40.8

detaile$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d082cf90, priority=1, domain=permit, deny=false
hits=5143872, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.160.44.2 using egress ifc inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.160.40.8/0 to 10.160.40.8/0

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any4 object aksesvpn
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d08108d0, priority=13, domain=permit, deny=false
hits=1923, user_data=0x7fe9c421e100, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.160.40.8, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static SERVER SERVER destination static SKCK_lokal SKCK_lokal no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.128.61/0 to 10.1.128.61/0
Forward Flow based lookup yields rule:
in id=0x7fe9d0968260, priority=6, domain=nat, deny=false
hits=53, user_data=0x7fe9d094d890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9cfb2e0a0, priority=0, domain=nat-per-session, deny=true
hits=52888, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d0835450, priority=0, domain=inspect-ip-options, deny=true
hits=43262, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe9d102ce80, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=54, user_data=0x7ff57c, cs_id=0x7fe9d127a1e0, reverse, flags=0x0, protocol=0
src ip/id=10.1.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.160.40.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Seems good.

in show crypto IPSec encrypted/decrypted counters must be increase.

can you check it?

And can you enable debug? Debug icmp trace.

and , if you can, try to ping from network behind fortigate

FIREWALL# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 203.171.221.2

access-list outside_cryptomap extended permit ip 10.160.40.0 255.255.255.0 10.1.128.0 255.255.255.0
local ident (addr/mask/prot/port): (10.160.40.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.128.0/255.255.255.0/0/0)
current_peer: 36.66.67.38

#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72

I can ping from behind ASA to GW Forti but I cant ping behind asa to behind Forti.

Behind forti cant ping my asa or behind ASA.

I use my segment ip server to remote ip on forti. its a problem? or i must use a segment of my inside ip ASA?

Hm...

Can You do bebug icmp trace and try to ping remote server?.

And I do not understad You about this:

I use my segment ip server to remote ip on forti. its a problem? or i must use a segment of my inside ip ASA?