08-24-2023 12:32 PM - edited 08-25-2023 04:55 AM
Hello ASA/VPN Gurus,
I have a IPSEC/Ikev1 VPN working perfectly fine between CiscoASA and fortigate, that VPN is simple and working perfectly fine,
As you can see in the diagram, a vendor is providing access to his services/apps via the IP: 24.126.14.5 , The vendor should whitelist your incoming public IP to gain access,
We have that whitelisting done for over a dedicated WAN2, and users behind the FortiGate 192.168.1.0/24 can access to that server just fine,
new request is to have users behind the ASA to access that server, so my plan to send that specific public IP over the IPSEC vpn is:
- Create a new object for that "24.126.14.5"
- Call that object inside the my Crypto-ACL and my no NAT rule
did the above setup and I did packet tace to correct NAT matched and I can see allow as a result, but nothing works, users behind ASA still not able to hit the "24.126.14.5",
I don't see traffic coming to the fortinet throught the VPN with source 172.16.10.0/24-->""24.126.14.5""
Do I miss something in ASA config,
Solved! Go to Solution.
08-24-2023 10:22 PM - edited 08-24-2023 10:27 PM
@AirSail yes they do, the crypto ACL defines the interesting traffic that should be encrypted.
The fortinet configuration should be reconfigured to include 24.126.14.5.
08-24-2023 12:41 PM
@AirSail if you generate traffic to 24.126.14.5 is the IPSec SA established? Check "show crypto ipsec sa" if the SA has been established are the encap counters increasing.
Run packet-tracer from the CLI of the ASA twice, from the output of the second, check if the traffic is allowed and determine if encrypted and matching the correct NAT rule.
08-24-2023 01:26 PM - edited 08-25-2023 04:55 AM
This is a brilliant question,
I have a continuous ping 24.126.14.5 from a machine behind the ASA,
and when I do show cry ipsec sa, I don't see any child SA for "24.126.14.5" and I can see only communication between both internal subnet 172.16.10.0/24 and 192.168.1./24 (encry/decry packet increase just fine)
packet trace attached (I tried to change some IP to match what I did above
08-24-2023 01:38 PM
@AirSail is the crypto ACL correct in the ASA? Is the fortinet crypto ACL settings configured correctly to mirror the ASA configuration?
08-24-2023 02:46 PM - edited 08-24-2023 02:53 PM
Hello @rob,
I don't think they have to mirror each other
From ASA my ACL has:
local network: 172.16.10.0/24
Remote network : 192.168.1.0/24 + host "24.126.14.5"
From Fortigate my ACL has:
local network: 192.168.1.0/24
Remote network: 172.16.10.0/24
Thanks,
08-24-2023 10:22 PM - edited 08-24-2023 10:27 PM
@AirSail yes they do, the crypto ACL defines the interesting traffic that should be encrypted.
The fortinet configuration should be reconfigured to include 24.126.14.5.
08-25-2023 04:54 AM
You nailed it, and it makes total sense,
I can see a new child SA for that IP is sending traffic, encap + entry increase, but decap + decry are 0
Somehow there is no reply back from FortiGate side, I'll have to log into the fortigate and do some packet capture,
It's fixed so far from the ASA side THANK YOU!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide