Perfect Hector,

Nick Sinyakov · ‎09-11-2016

Hi guys,

Please advise if cisco 877 is compatible for Site2Site VPN with Fortigate 600c?

And second question is about my config. As first step I'm trying to setup 877 as NAT and DHCP. FA0 connected to a network with another DHCP router and the Internet connection. Lab network connected to FA2. Lab. should get DHCP from 877 (192.168.144.0/24) and be able to access the Internet. Currently it's able to receive DHCP but can't access internet. Please help to fix it

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname office
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
no ip routing
!
!
!
ip dhcp excluded-address 192.168.144.254
!
ip dhcp pool office-pool
import all
network 192.168.144.0 255.255.255.0
default-router 192.168.144.254
dns-server 192.168.144.254
!
!
no ip cef
no ipv6 cef
!
!
!
controller VDSL 0
!
!
interface Ethernet0
shutdown
!
interface ATM0
shutdown
!
interface FastEthernet0
switchport access vlan 2
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 3
no ip address
!
interface FastEthernet3
no ip address
shutdown
!
interface Vlan1
ip address dhcp
no ip route-cache
shutdown
!
interface Vlan2
ip address dhcp
!
interface Vlan3
ip address 192.168.144.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!

Hector Gustavo Serrano Gutierrez · ‎09-11-2016

Hello Nick Sinyakov,

I have personally never tried a Ste2Site VPN between the Cisco 877 and a Fortigate device. I am assuming it should work as long as the Fortigate VPN code is RFC compliant and Phase 1/Phase 2 IPsec parameters match.

I have also noticed that for some reason, the "Routing" capability is disabled in your equipment. This will prevent Routing for working normally. Let's start enabling it.

!
ip routing
ip cef
!

Now, you should be able to make NAT work using the following configuration:

!
ip access-list standard INSIDE-LOCAL-NET
 permit 192.168.144.0 0.0.0.255
!
route-map NAT-1
 match ip address INSIDE-LOCAL-NET
 match interface vlan2
!
ip nat inside source route-map NAT-1 interface Vlan2 overload
!
interface Vlan3
 ip nat inside
interface Vlan2
 ip nat outside
!

As a side note, I can see that the DHCP Server configuration on the Cisco Router is providing the IP address for the interface on Vlan 3 for the DNS Server for hosts on that VLAN.

I would suggest to use a different DNS Server (like Google's public servers) or activate the Router's DNS Server capability.

!
! Make the Router a DNS Server.
!
ip dns server
!
end

!
! Provide a different IP for DNS Server.
!
ip dhcp pool office-pool
 no dns-server 192.168.44.254
 dns-server 8.8.8.8
!
end

I hope this helps.

Nick Sinyakov · ‎09-11-2016

Hi Hector,

Thanks for reply and clear explanation. I will try it this evening and let you know the result.

Nick Sinyakov · ‎09-12-2016

Perfect Hector,

First part of this task is completed and my Lab network which connected to Vlan 3 getting DHCP and internet access. Now I'd like to setup Site2Site with Fortigate, it has details as below:

Authentication: Pre-Shared Key

Local LAN:10.10.10.0/24

Remote LAN:192.168.144.0/24

Phase 1 Interface
Dead Peer Detection: enable
DNS Mode: auto
DH Group: 5
Proposal: 3des-sha1 3des-md5
Type: dynamic

Phase 2 Interfaces
DH Group: 5
Perfect Forward Secrecy (PFS): enable
Proposal: 3des-md5

Local to Remote Policy
Action: accept
Services: ALL
Schedule: always

Remote to Local Policy
Action: accept
Services: ALL
Schedule: always

Cisco 877 with NAT and Site2Site VPN