Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
1
Helpful
5
Replies

EASY VPN Site to site and fortigate ipsec vpn as secondary

gmrodriguez
Level 1
Level 1

‎02-18-2025 06:20 AM

I have a Cisco ASA 5506 configured with Easy VPN with primary and secondary servers for headend. I need to make the secondary headend a Fortigate via an ipsec vpn. On the Cisco ASA, other than the standard ipsec configuration, what other configuration is needed so the traffic is routed first via the Cisco Easy VPN and then to the Fortigate ipsec vpn? 

Labels:
5 Replies 5

marce1000
Hall of Fame
Hall of Fame

‎02-18-2025 07:04 AM

 

    - FYI : https://community.cisco.com/legacyfs/online/attachments/discussion/configuring-ipsec-vpn-with-a-fortigate-and-a-cisco-asa.pdf

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

gmrodriguez
Level 1
Level 1
In response to marce1000

‎02-18-2025 07:14 AM

thanks marce1000. I am familair with those config steps. Th ecurrent ASA config has this line configuration:

vpnclient server 1.1.1.1 2.2.2.2

1.1.1.1 is the Cisco ASA headend.

2.2.2.2 I would like to be the Fortigate headend

Other than the config in your link is there any other config? Will the ASA know when 1.1.1.1 is down to route via the ipsec via 2.2.2.2?

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to gmrodriguez

‎02-18-2025 08:03 AM

Long ago I had similar setup as yours.The Easy VPN configuration connects the ASA to the primary headend (1.1.1.1). These are the configuration you need.

vpnclient server 1.1.1.1 2.2.2.2
vpnclient mode network-extension
vpnclient enable
!
crypto ikev2 enable outside
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 lifetime seconds 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key XYZ
 ikev2 local-authentication pre-shared-key XYZ

crypto ipsec ikev2 ipsec-proposal FORTIGATE-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-256
!
crypto map outside_map 10 match address FORTIGATE_ACL
crypto map outside_map 10 set peer 2.2.2.2
crypto map outside_map 10 set ikev2 ipsec-proposal FORTIGATE-PROPOSAL
crypto map outside_map interface outside
!
access-list FORTIGATE_ACL extended permit ip obj_local_192.168.100.0 obj_local_192.168.100.0 obj_local_192.168.200.0 obj_local_192.168.200.0
!
(To ensure failover between Easy VPN (primary) and IPsec VPN (secondary), configure SLA monitoring on the ASA)
sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.1 interface outside
 num-packets 3
 timeout 1000
 frequency 10
!
track 1 rtr 1 reachability
!
route outside 0.0.0.0 0.0.0.0 primary_gateway track 1
route outside 0.0.0.0 0.0.0.0 secondary_gateway 10

 

please do not forget to rate.
0 Helpful

gmrodriguez
Level 1
Level 1
In response to Sheraz.Salim

‎02-18-2025 08:50 AM

Thank you. I suspected there would be route commands, but the current config does not have any route commands so I wasnt sure how the ASA would know to route via the secondary. Especially if the ACL's would be identical.

0 Helpful

MHM Cisco World
VIP
VIP

‎02-18-2025 09:04 AM

Internal User - SW - ASA/forti 

Internal User need to have GW in SW 

In SW you need pbr to direct traffic to ASA or forti depending on reachability (ip sla).

MHM

                      

0 Helpful
Customers Also Viewed These Support Documents