Solved: Re: route specific internet traffic through IPSEC VPN

AirSail · ‎08-24-2023

Hello ASA/VPN Gurus,

I have a IPSEC/Ikev1 VPN working perfectly fine between CiscoASA and fortigate, that VPN is simple and working perfectly fine,

As you can see in the diagram, a vendor is providing access to his services/apps via the IP: 24.126.14.5 , The vendor should whitelist your incoming public IP to gain access,

We have that whitelisting done for over a dedicated WAN2, and users behind the FortiGate 192.168.1.0/24 can access to that server just fine,

new request is to have users behind the ASA to access that server, so my plan to send that specific public IP over the IPSEC vpn is:

- Create a new object for that "24.126.14.5"

- Call that object inside the my Crypto-ACL and my no NAT rule

did the above setup and I did packet tace to correct NAT matched and I can see allow as a result, but nothing works, users behind ASA still not able to hit the "24.126.14.5",

I don't see traffic coming to the fortinet throught the VPN with source 172.16.10.0/24-->""24.126.14.5""

Do I miss something in ASA config,

Rob Ingram · ‎08-24-2023

@AirSail yes they do, the crypto ACL defines the interesting traffic that should be encrypted.

The fortinet configuration should be reconfigured to include 24.126.14.5.

View solution in original post

Rob Ingram · ‎08-24-2023

@AirSail if you generate traffic to 24.126.14.5 is the IPSec SA established? Check "show crypto ipsec sa" if the SA has been established are the encap counters increasing.

Run packet-tracer from the CLI of the ASA twice, from the output of the second, check if the traffic is allowed and determine if encrypted and matching the correct NAT rule.

AirSail · ‎08-24-2023

This is a brilliant question,

I have a continuous ping 24.126.14.5 from a machine behind the ASA,

and when I do show cry ipsec sa, I don't see any child SA for "24.126.14.5" and I can see only communication between both internal subnet 172.16.10.0/24 and 192.168.1./24 (encry/decry packet increase just fine)

packet trace attached (I tried to change some IP to match what I did above )

Rob Ingram · ‎08-24-2023

@AirSail is the crypto ACL correct in the ASA? Is the fortinet crypto ACL settings configured correctly to mirror the ASA configuration?

AirSail · ‎08-24-2023

Hello @rob,

I don't think they have to mirror each other

From ASA my ACL has:

local network: 172.16.10.0/24

Remote network : 192.168.1.0/24 + host "24.126.14.5"

From Fortigate my ACL has:

local network: 192.168.1.0/24

Remote network: 172.16.10.0/24

Thanks,

Rob Ingram · ‎08-24-2023

@AirSail yes they do, the crypto ACL defines the interesting traffic that should be encrypted.

The fortinet configuration should be reconfigured to include 24.126.14.5.

AirSail · ‎08-25-2023

You nailed it, and it makes total sense,

I can see a new child SA for that IP is sending traffic, encap + entry increase, but decap + decry are 0

Somehow there is no reply back from FortiGate side, I'll have to log into the fortigate and do some packet capture,

It's fixed so far from the ASA side THANK YOU!