Hi all,

We have a EZVPN connection to one of our branch office. Connectivity diagram is attached with this discussion.

HO LAN (10.1.0.0/16 & 192.6.14.0/24) --------- ASA5520-------- Internet ---------- Cisco2911-------- LAN of remote location (10.2.0.0/16)

we are using 10.2.0.0/26 subnet at remote office and 10.1.0.0/16 & 192.6.14.0/24 subnets at HO. From HO through 10.1.0.0/16 & 192.6.14.0/24 all the devices are reachable except the firewall which is connected with GigabitEthernet0/2 interface of cisco2911 router(on which VPN is created).

Its a fortigate firewall and it is reachable locally from the network 10.2.0.0/16. I believe its an issue with phase2 ACLs but didn't able to resolve the issue.

I'm not able to take GUI / CLI interfaces of fortigate firewall even i'm not able to ping the IP of GigabitEthernet0/2 interface of cisco2911.

kindly advise on same.

Below is the configuration of ASA5520 of HO and cisco2911 router of branch office

ASA5520:-

access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list Outside_cryptomap_65534.191 extended permit ip object-group DM_INLINE_NETWORK_103 10.2.0.0 255.255.0.0
jashanmalasa/sec/act# sho run obj
jashanmalasa/sec/act# sho run object-group | b DM_INLINE_NETWORK_103
object-group network DM_INLINE_NETWORK_103
 network-object 10.1.0.0 255.255.0.0
 network-object 192.6.14.0 255.255.255.0

group-policy AUHNEW internal
group-policy AUHNEW attributes
 dns-server value 192.6.14.189 192.6.14.182
 vpn-access-hours none
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 ip-comp disable
 re-xauth disable
 pfs enable
 ipsec-udp disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value
 default-domain value xxxxxx
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem enable

tunnel-group AUHNEW type remote-access
tunnel-group AUHNEW general-attributes
 authorization-server-group LOCAL
 default-group-policy AUHNEW
tunnel-group AUHNEW ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
 isakmp ikev1-user-authentication none

Cisco2911:-

Current configuration : 10258 bytes
!
! Last configuration change at 19:06:18 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname AUHOffice_RTR
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
!
!
card type e1 0 0
!
no aaa new-model
!
clock timezone AST 4 0
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip name-server 213.42.xxx.xxx
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-net5
!
crypto pki token default removal timeout 0
!
!
voice-card 0
 dspfarm
 dsp services dspfarm
!
!
!
voice service voip
 fax protocol pass-through g711ulaw
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g711alaw
 codec preference 3 g729r8
 codec preference 4 g729br8
!
voice class h323 1
  h225 timeout tcp establish 3
!
!
!
!
voice translation-rule 1
 rule 1 /^9\(.*\)/ /\1/
!
voice translation-rule 2
 rule 1 /^0\(2.......\)$/ /00\1/
 rule 2 /^0\(3.......\)$/ /00\1/
 rule 3 /^0\(4.......\)$/ /00\1/
 rule 4 /^0\(5........\)$/ /00\1/
 rule 5 /^0\(6.......\)$/ /00\1/
 rule 6 /^0\(7.......\)$/ /00\1/
 rule 7 /^0\(9.......\)$/ /00\1/
 rule 8 /^00\(.*\)/ /0\1/
 rule 9 /^.......$/ /0&/
 rule 10 // /000\1/
!
voice translation-rule 3
 rule 1 /^3../ /026969&/
!
!
voice translation-profile FROM_PSTN
 translate calling 2
 translate called 1
!
voice translation-profile TO_PSTN
 translate calling 3
!
!
license udi pid CISCO2911/K9 sn xxxxxxxxx
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
username admin privilege 15 secret 4 Ckg/sS5mzi4xFYrh1ggXo92THcL6Z0c6ng70wM9oOxg
!
redundancy
!
!
!
!
controller E1 0/0/0
 framing NO-CRC4
 pri-group timeslots 1-10,16
!
!
!
!
!
!
!
crypto ipsec client ezvpn jashanvpn
 connect auto
 group AUHNEW key jashvpn786
 mode network-extension
 peer 83.111.xxx.xxx
 acl 150
 nat allow
 nat acl 110
 xauth userid mode interactive
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 10.2.0.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1430
 ip policy route-map temp
 duplex auto
 speed auto
 crypto ipsec client ezvpn jashanvpn inside
 h323-gateway voip interface
 h323-gateway voip bind srcaddr 10.2.0.1
!
interface GigabitEthernet0/1
 description *** Connected to 40MB Internet ***
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/2
 ip address 10.2.0.11 255.255.255.248
 duplex auto
 speed auto
!
interface Serial0/0/0:15
 no ip address
 encapsulation hdlc
 isdn switch-type primary-net5
 isdn incoming-voice voice
 no cdp enable
!
interface SM1/0
 ip unnumbered GigabitEthernet0/0
 service-module ip address 10.2.0.3 255.255.255.248
 !Application: CUE Running on SM
 service-module ip default-gateway 10.2.0.1
!
interface SM1/1
 description Internal switch interface connected to Service Module
 no ip address
!
interface Vlan1
 no ip address
!
interface Dialer0
 description *** JASHANMAL 40MB Internet ***
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxx
 ppp chap password 7 0252150B0C0D5B2748
 ppp pap sent-username xxxxxx password 7 15461A5C03217F222C
 crypto ipsec client ezvpn jashanvpn
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.2.0.0 255.255.248.0 10.2.0.2
ip route 10.2.0.3 255.255.255.255 SM1/0
ip route 10.2.6.1 255.255.255.255 10.2.0.2
ip route 10.2.7.1 255.255.255.255 10.2.0.2
ip route 172.16.5.0 255.255.255.0 10.2.0.2
!
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 deny   ip 172.16.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 100 permit ip 10.2.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 110 deny   ip 10.2.0.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip host 10.2.6.1 any
access-list 110 permit ip host 10.2.6.2 any
access-list 110 permit ip host 10.2.6.3 any
access-list 110 permit ip host 10.2.6.4 any
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.201.72 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.254.136 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 216.52.207.67 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.151.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.148.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.149.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.150.22 eq www
access-list 110 permit tcp 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.4.0 0.0.0.255 any
access-list 150 permit ip 10.2.0.0 0.0.0.255 any
access-list 150 permit ip 10.2.1.0 0.0.0.255 any
access-list 150 permit ip 10.2.2.0 0.0.0.255 any
access-list 150 permit ip 10.2.3.0 0.0.0.255 any
access-list 150 permit ip 10.2.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.6.0 0.0.0.255 any
access-list 150 permit ip 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.7.0 0.0.0.255 any
!
!
!
!
route-map temp permit 100
 match ip address 100
 set ip next-hop 10.2.0.9
!
route-map temp permit 110
!
route-map nonat permit 10
 match ip address 110
!
!
snmp-server community xxxxxxxx
snmp-server location JNC AbuDhabi Office
snmp-server contact xxxxxxxx
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host xxxxx version 2c jash
!
control-plane
!
!
voice-port 0/0/0:15
 translation-profile incoming FROM_PSTN
 bearer-cap Speech
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
!
!
mgcp profile default
!
!
dial-peer cor custom
 name CCM
 name 0
 name 00
!
!
dial-peer cor list CCM
 member CCM
 member 0
 member 00
!
dial-peer cor list 0
 member 0
!
dial-peer cor list 00
 member 0
 member 00
!
!
dial-peer voice 100 voip
 corlist incoming CCM
 preference 1
 destination-pattern [1-8]..
 session target ipv4:10.1.2.12
 incoming called-number [1-8]..
 voice-class codec 1  
 voice-class h323 1
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 101 voip
 corlist incoming CCM
 huntstop
 preference 2
 destination-pattern [1-8]..
 session target ipv4:10.1.2.11
 incoming called-number [1-8]..
 voice-class codec 1  
 voice-class h323 1
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 201 pots
 corlist outgoing 0
 translation-profile outgoing TO_PSTN
 destination-pattern 0[1-9]T
 incoming called-number .
 direct-inward-dial
 port 0/0/0:15
!
dial-peer voice 202 pots
 corlist outgoing 0
 translation-profile outgoing TO_PSTN
 destination-pattern 00[1-9]T
 incoming called-number .
 direct-inward-dial
 port 0/0/0:15
 prefix 0
!
dial-peer voice 203 pots
 corlist outgoing 00
 translation-profile outgoing TO_PSTN
 destination-pattern 000T
 incoming called-number .
 direct-inward-dial
 port 0/0/0:15
 prefix 00
!
!
gateway
 timer receive-rtp 1200
!
!
!
gatekeeper
 shutdown
!
!
call-manager-fallback
 secondary-dialtone 0
 max-conferences 8 gain -6
 transfer-system full-consult
 timeouts interdigit 4
 ip source-address 10.2.0.1 port 2000
 max-ephones 58
 max-dn 100
 system message primary Your Current Options SRST Mode
 transfer-pattern .T
 alias 1 300 to 279
 call-forward pattern .T
 time-zone 35
 date-format dd-mm-yy
 cor incoming 0 1 100 - 899
!
!
!
line con 0
 password 7 030359065206234104
 login local
line aux 0
 password 7 030359065206234104
 login local
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 67
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 110E1B08431B09014E
 login local
 transport input all
line vty 5 15
 password 7 030359065206234104
 login local
 transport input all
!
scheduler allocate 20000 1000
ntp master 1
end