cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
153
Views
0
Helpful
3
Replies
Highlighted
Beginner

Cisco 877 with NAT and Site2Site VPN

Hi guys,

Please advise if cisco 877 is compatible for Site2Site VPN with Fortigate 600c?


And second question is about my config. As first step I'm trying to setup 877 as NAT and DHCP. FA0 connected to a network with another DHCP router and the Internet connection. Lab network connected to FA2. Lab. should get DHCP from 877 (192.168.144.0/24) and be able to access the Internet. Currently it's able to receive DHCP but can't access internet. Please help to fix it

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname office
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
no ip routing
!
!
!
ip dhcp excluded-address 192.168.144.254
!
ip dhcp pool office-pool
 import all
 network 192.168.144.0 255.255.255.0
 default-router 192.168.144.254
 dns-server 192.168.144.254
!
!
no ip cef
no ipv6 cef
!
!
!
controller VDSL 0
!
!
interface Ethernet0
 shutdown
!
interface ATM0
 shutdown
!
interface FastEthernet0
 switchport access vlan 2
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 switchport access vlan 3
 no ip address
!
interface FastEthernet3
 no ip address
 shutdown
!
interface Vlan1
 ip address dhcp
 no ip route-cache
 shutdown
!
interface Vlan2
 ip address dhcp
!
interface Vlan3
 ip address 192.168.144.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!

3 REPLIES 3
Highlighted

Hello ,

I have personally never tried a Ste2Site VPN between the Cisco 877 and a Fortigate device. I am assuming it should work as long as the Fortigate VPN code is RFC compliant and Phase 1/Phase 2 IPsec parameters match.

I have also noticed that for some reason, the "Routing" capability is disabled in your equipment. This will prevent Routing for working normally. Let's start enabling it.

!
ip routing
ip cef
!

Now, you should be able to make NAT work using the following configuration:

!
ip access-list standard INSIDE-LOCAL-NET
permit 192.168.144.0 0.0.0.255
!
route-map NAT-1
match ip address INSIDE-LOCAL-NET
match interface vlan2
!
ip nat inside source route-map NAT-1 interface Vlan2 overload
!
interface Vlan3
ip nat inside
interface Vlan2
ip nat outside
!

As a side note, I can see that the DHCP Server configuration on the Cisco Router is providing the IP address for the interface on Vlan 3 for the DNS Server for hosts on that VLAN.

I would suggest to use a different DNS Server (like Google's public servers) or activate the Router's DNS Server capability.

!
! Make the Router a DNS Server.
!
ip dns server
!
end

!
! Provide a different IP for DNS Server.
!
ip dhcp pool office-pool
no dns-server 192.168.44.254
dns-server 8.8.8.8
!
end

I hope this helps.

Highlighted

Hi Hector,

Thanks for reply and clear explanation. I will try it this evening and let you know the result.

Highlighted

Perfect Hector,

First part of this task is completed and my Lab network which connected to Vlan 3 getting DHCP and internet access. Now I'd like to setup Site2Site with Fortigate, it has details as below:

Authentication: Pre-Shared Key

Local LAN:10.10.10.0/24

Remote LAN:192.168.144.0/24

Phase 1 Interface
Dead Peer Detection: enable
DNS Mode: auto
DH Group: 5
Proposal: 3des-sha1 3des-md5
Type: dynamic

Phase 2 Interfaces
DH Group: 5
Perfect Forward Secrecy (PFS): enable
Proposal: 3des-md5

Local to Remote Policy
Action: accept
Services: ALL
Schedule: always

Remote to Local Policy
Action: accept
Services: ALL
Schedule: always