Solved: Unable to access from VPN Fortigate to Cisco ASA 5505

CSCO11857702 · ‎03-26-2013

Problem : Unable to access user A to user B

User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B

After using wizard to configure the site to site VPN, the site-to-site tunnel is up.

Ping is unsuccessful from user A to user B

Ping is successful from user B to user A, data is accessable

After done the packet tracer from user A to user B,

Result :

Flow-lookup

Action : allow

Info: Found no matching flow, creating a new flow

Route-lookup

Action : allow

Info : 192.168.5.203 255.255.255.255 identity

Access-list

Action : drop

Config Implicit Rule

Result - The packet is dropped

Input Interface : inside

Output Interface : NP Identify Ifc

Info: (acl-drop)flow is denied by configured rule

Below is Cisco ASA 5505's show running-config

ASA Version 8.2(1)

!

hostname Asite

domain-name ssms1.com

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 82 B-firewall description Singapore office firewall

name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP

name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)

name 192.168.2.0 fw-inside-subnet description A office internal LAN IP

name 122 A-forti

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.203 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 93 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name ssms1.com

object-group network obj_any

network-object 0.0.0.0 0.0.0.0

access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240

access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0

access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0

access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0

access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http B-inside-subnet 255.255.255.0 inside

http fw-inside-subnet 255.255.255.0 inside

http 0.0.0.0 255.255.255.255 outside

http 0.0.0.0 0.0.0.0 outside

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer A-forti

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer B-firewall

crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes-192

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.5.10-192.168.5.20 inside

dhcpd dns 165 165 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username admin password XXX encrypted privilege 15

tunnel-group 122 type ipsec-l2l

tunnel-group 122 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map outside-policy

description ok

class outside-class

inspect dns

inspect esmtp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect icmp

inspect icmp error

inspect netbios

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

!

service-policy global_policy global

service-policy outside-policy interface outside

prompt hostname context

Cryptochecksum: XXX

: end

Kindly need your expertise&help to solve the problem

cadet alain · ‎04-04-2013

Hi,

169.254.250.1 is a link-local IPv4 address that is autoconfigured by hosts when they can't get a DHCP IP.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

CSCO11857702 · ‎03-26-2013

After using wizard to configure the cisco Asa site to site VPN, the site-to-site tunnel is up.

miltoncaillouet · ‎03-27-2013

I had the same problem where i couldn't ping the cisco asa from a fortigate 310 and i had to create a static route on the fortigate to the ASA and i had to create a second policy on the fortigate

CSCO11857702 · ‎03-27-2013

Hi Milton Caillouet,

Thanks, I tried to configurate the fortigate :

1. static route

destination ip/mask : user B network/255.255.255.0

default gateway : point to cisco ASA wan IP

2. create a firewall policy

Source Interface : external

source add: user A address

Destination Interface: internal

destination add : user B address

with or without NAT

still unable to ping, do i done any missing any step?

CSCO11857702 · ‎04-04-2013

After checked between forti firewall and asa, found out same problem that the source was changed/NAT by the ISP during data pass thou' from forti-asa, do I have any solution on that?

4 Apr 01 2013 18:51:16 402116 A-fortifirewall B-ASA.

IPSEC: Received an ESP packet (SPI= 0x51142CC1, sequence number= 0x1F)

from A (user= A) to B.

The decapsulated inner packet doesn't match the negotiated policy in the SA.

The packet specifies its destination as 192.168.5.204, its source as 169.254.250.1,

and its protocol as 1. The SA specifies its local proxy as 192.168.5.0/255.255.255.0/0/0 and

its remote_proxy as 192.168.200.0/255.255.255.0/0/0.

cadet alain · ‎04-04-2013

Hi,

169.254.250.1 is a link-local IPv4 address that is autoconfigured by hosts when they can't get a DHCP IP.

Regards

Alain

Don't forget to rate helpful posts.

CSCO11857702 · ‎04-07-2013

Cadet, you are right that the address is belong to link-local IPv4

Dear Milton, i already create a firewall policy in forti. Besides, it is a default route point to isp router, I configured a static route on fortigate to asa,below shows the network topology and the static route.

Network

forti (router vpn A ) -- isp router -- ipsec -- isp router -- cisco800 -- ciscoASA (router vpn B)

a static route from forti to cisco800

a static route from cisco 800 to ciscoASA

I tried to ping, not working, If i configure a static route from asa to forti, ipsec tunnel dropped.

or i direct configured a static route to asa wan port, it since not working.

It have only default route to isp router on cisco800.

Any1, do I missed up anything or do i need to configure anything on the cisco800 to allow vpn traffic?