05-11-2014 01:17 AM
Hi all,
We have a EZVPN connection to one of our branch office. Connectivity diagram is attached with this discussion.
HO LAN (10.1.0.0/16 & 192.6.14.0/24) --------- ASA5520-------- Internet ---------- Cisco2911-------- LAN of remote location (10.2.0.0/16)
we are using 10.2.0.0/26 subnet at remote office and 10.1.0.0/16 & 192.6.14.0/24 subnets at HO. From HO through 10.1.0.0/16 & 192.6.14.0/24 all the devices are reachable except the firewall which is connected with GigabitEthernet0/2 interface of cisco2911 router(on which VPN is created).
Its a fortigate firewall and it is reachable locally from the network 10.2.0.0/16. I believe its an issue with phase2 ACLs but didn't able to resolve the issue.
I'm not able to take GUI / CLI interfaces of fortigate firewall even i'm not able to ping the IP of GigabitEthernet0/2 interface of cisco2911.
kindly advise on same.
Below is the configuration of ASA5520 of HO and cisco2911 router of branch office
ASA5520:-
access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list Outside_cryptomap_65534.191 extended permit ip object-group DM_INLINE_NETWORK_103 10.2.0.0 255.255.0.0
jashanmalasa/sec/act# sho run obj
jashanmalasa/sec/act# sho run object-group | b DM_INLINE_NETWORK_103
object-group network DM_INLINE_NETWORK_103
network-object 10.1.0.0 255.255.0.0
network-object 192.6.14.0 255.255.255.0
group-policy AUHNEW internal
group-policy AUHNEW attributes
dns-server value 192.6.14.189 192.6.14.182
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
ip-comp disable
re-xauth disable
pfs enable
ipsec-udp disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
default-domain value xxxxxx
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
tunnel-group AUHNEW type remote-access
tunnel-group AUHNEW general-attributes
authorization-server-group LOCAL
default-group-policy AUHNEW
tunnel-group AUHNEW ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp ikev1-user-authentication none
Cisco2911:-
Current configuration : 10258 bytes
!
! Last configuration change at 19:06:18 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname AUHOffice_RTR
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
!
!
card type e1 0 0
!
no aaa new-model
!
clock timezone AST 4 0
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip name-server 213.42.xxx.xxx
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-net5
!
crypto pki token default removal timeout 0
!
!
voice-card 0
dspfarm
dsp services dspfarm
!
!
!
voice service voip
fax protocol pass-through g711ulaw
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
codec preference 4 g729br8
!
voice class h323 1
h225 timeout tcp establish 3
!
!
!
!
voice translation-rule 1
rule 1 /^9\(.*\)/ /\1/
!
voice translation-rule 2
rule 1 /^0\(2.......\)$/ /00\1/
rule 2 /^0\(3.......\)$/ /00\1/
rule 3 /^0\(4.......\)$/ /00\1/
rule 4 /^0\(5........\)$/ /00\1/
rule 5 /^0\(6.......\)$/ /00\1/
rule 6 /^0\(7.......\)$/ /00\1/
rule 7 /^0\(9.......\)$/ /00\1/
rule 8 /^00\(.*\)/ /0\1/
rule 9 /^.......$/ /0&/
rule 10 // /000\1/
!
voice translation-rule 3
rule 1 /^3../ /026969&/
!
!
voice translation-profile FROM_PSTN
translate calling 2
translate called 1
!
voice translation-profile TO_PSTN
translate calling 3
!
!
license udi pid CISCO2911/K9 sn xxxxxxxxx
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
username admin privilege 15 secret 4 Ckg/sS5mzi4xFYrh1ggXo92THcL6Z0c6ng70wM9oOxg
!
redundancy
!
!
!
!
controller E1 0/0/0
framing NO-CRC4
pri-group timeslots 1-10,16
!
!
!
!
!
!
!
crypto ipsec client ezvpn jashanvpn
connect auto
group AUHNEW key jashvpn786
mode network-extension
peer 83.111.xxx.xxx
acl 150
nat allow
nat acl 110
xauth userid mode interactive
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.2.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1430
ip policy route-map temp
duplex auto
speed auto
crypto ipsec client ezvpn jashanvpn inside
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.2.0.1
!
interface GigabitEthernet0/1
description *** Connected to 40MB Internet ***
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/2
ip address 10.2.0.11 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
!
interface SM1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.2.0.3 255.255.255.248
!Application: CUE Running on SM
service-module ip default-gateway 10.2.0.1
!
interface SM1/1
description Internal switch interface connected to Service Module
no ip address
!
interface Vlan1
no ip address
!
interface Dialer0
description *** JASHANMAL 40MB Internet ***
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 0252150B0C0D5B2748
ppp pap sent-username xxxxxx password 7 15461A5C03217F222C
crypto ipsec client ezvpn jashanvpn
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.2.0.0 255.255.248.0 10.2.0.2
ip route 10.2.0.3 255.255.255.255 SM1/0
ip route 10.2.6.1 255.255.255.255 10.2.0.2
ip route 10.2.7.1 255.255.255.255 10.2.0.2
ip route 172.16.5.0 255.255.255.0 10.2.0.2
!
access-list 100 deny ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 100 deny ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 deny ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 100 deny ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 deny ip 172.16.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 100 permit ip 10.2.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 110 deny ip 10.2.0.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.2.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.3.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.1.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.3.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny ip 10.2.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny ip 10.2.6.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.6.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip host 10.2.6.1 any
access-list 110 permit ip host 10.2.6.2 any
access-list 110 permit ip host 10.2.6.3 any
access-list 110 permit ip host 10.2.6.4 any
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.201.72 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.254.136 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 216.52.207.67 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.151.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.148.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.149.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.150.22 eq www
access-list 110 permit tcp 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.4.0 0.0.0.255 any
access-list 150 permit ip 10.2.0.0 0.0.0.255 any
access-list 150 permit ip 10.2.1.0 0.0.0.255 any
access-list 150 permit ip 10.2.2.0 0.0.0.255 any
access-list 150 permit ip 10.2.3.0 0.0.0.255 any
access-list 150 permit ip 10.2.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.6.0 0.0.0.255 any
access-list 150 permit ip 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.7.0 0.0.0.255 any
!
!
!
!
route-map temp permit 100
match ip address 100
set ip next-hop 10.2.0.9
!
route-map temp permit 110
!
route-map nonat permit 10
match ip address 110
!
!
snmp-server community xxxxxxxx
snmp-server location JNC AbuDhabi Office
snmp-server contact xxxxxxxx
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host xxxxx version 2c jash
!
control-plane
!
!
voice-port 0/0/0:15
translation-profile incoming FROM_PSTN
bearer-cap Speech
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
!
!
mgcp profile default
!
!
dial-peer cor custom
name CCM
name 0
name 00
!
!
dial-peer cor list CCM
member CCM
member 0
member 00
!
dial-peer cor list 0
member 0
!
dial-peer cor list 00
member 0
member 00
!
!
dial-peer voice 100 voip
corlist incoming CCM
preference 1
destination-pattern [1-8]..
session target ipv4:10.1.2.12
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 101 voip
corlist incoming CCM
huntstop
preference 2
destination-pattern [1-8]..
session target ipv4:10.1.2.11
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 201 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 0[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
!
dial-peer voice 202 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 00[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 0
!
dial-peer voice 203 pots
corlist outgoing 00
translation-profile outgoing TO_PSTN
destination-pattern 000T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 00
!
!
gateway
timer receive-rtp 1200
!
!
!
gatekeeper
shutdown
!
!
call-manager-fallback
secondary-dialtone 0
max-conferences 8 gain -6
transfer-system full-consult
timeouts interdigit 4
ip source-address 10.2.0.1 port 2000
max-ephones 58
max-dn 100
system message primary Your Current Options SRST Mode
transfer-pattern .T
alias 1 300 to 279
call-forward pattern .T
time-zone 35
date-format dd-mm-yy
cor incoming 0 1 100 - 899
!
!
!
line con 0
password 7 030359065206234104
login local
line aux 0
password 7 030359065206234104
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 110E1B08431B09014E
login local
transport input all
line vty 5 15
password 7 030359065206234104
login local
transport input all
!
scheduler allocate 20000 1000
ntp master 1
end
05-11-2014 02:08 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide