05-11-2022 04:30 AM
Hi All,
I'm hoping that the more knowledgeable of you can tell me where I'm going wrong.
My local end is a Cisco ASA 5516 and the remote end is a Fortigate 601E
My local subnet is 10.2.0.0/18 which clashes with the remote subnet so we NAT the traffic going over the tunnel to 10.6.22.0/24
The IPs that we connect to on the remote end are in the 43.X.X.X/24 subnet.
Pings from my subnet timeout but the remote end says they can see the ping coming in and a reply is being sent.
My config is (relevant parts)
object-group network Remote-Servers
network-object host 43.X.X.3
network-object host 43.X.X.4
object network LOCAL-TO-REMOTE-XLATE
subnet 10.6.22.0 255.255.255.0
access-list outside_1_cryptomap extended permit icmp object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging
access-list outside_1_cryptomap extended permit ip object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_18 LOCAL-TO-REMOTE-XLATE destination static Remote-Servers Remote-Servers
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 43200
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
Solved! Go to Solution.
05-11-2022 05:25 AM - edited 05-11-2022 05:29 AM
for my understanding you have address 10.2.0.0/18 is converted into 10.6.22.0/24 (due to remote side is using the 10.2.0.0/18). where is your local subnet is /18 and you x-late in subnet /24.
your config looks fine apart from the subnet /18 and /24.
you said remote side can see the ping are coming but you do not see the reply.
could you show the command output "show crypto ipsec sa peer x.x.x.x" where x.x.x.x is your remote public ip address.
also could you confirm the remote side also have configured 10.6.22.0/24 as remote network?
also add this command.
policy-map global_policy
class inspection_default
inspect icmp
object-group network Remote-Servers network-object host 43.X.X.3 network-object host 43.X.X.4 ! object network LOCAL-TO-REMOTE-XLATE subnet 10.6.22.0 255.255.255.0 ! access-list outside_1_cryptomap extended permit icmp object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging access-list outside_1_cryptomap extended permit ip object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging ! nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_18 LOCAL-TO-REMOTE-XLATE destination static Remote-Servers Remote-Servers crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 1.1.1.1 crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA crypto map outside_map 1 set security-association lifetime seconds 3600 crypto map outside_map interface outside crypto ikev1 enable outside ! crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 14 lifetime 43200 ! group-policy GroupPolicy_1.1.1.1 internal group-policy GroupPolicy_1.1.1.1 attributes vpn-tunnel-protocol ikev1 ! tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 general-attributes default-group-policy GroupPolicy_1.1.1.1 tunnel-group 1.1.1.1 ipsec-attributes ikev1 pre-shared-key ***** !
05-11-2022 05:31 AM
Just added the following:
policy-map global_policy
class inspection_default
inspect icmp
All working now.
05-11-2022 04:42 AM - edited 05-11-2022 05:53 AM
...
05-11-2022 05:04 AM
Thank you for your suggestion.
Although I've been told that my local subnet clashes with the remote end I'm not looking to connect to a remote IP that is the same as one on my subnet.
I'm on 10.2.0.0/18 and need to get to 43.x.x.x. The ICMP traffic is going down the tunnel and is hitting the server and a reply is being sent. It is just I don't see the reply.
Hope this helps.
05-11-2022 04:47 AM
so in your case you see on your firewall there is no encap but there is decap? right.
05-11-2022 05:06 AM
Sorry, don't follow you.
I'm new to Cisco firewalls.
05-11-2022 05:25 AM - edited 05-11-2022 05:29 AM
for my understanding you have address 10.2.0.0/18 is converted into 10.6.22.0/24 (due to remote side is using the 10.2.0.0/18). where is your local subnet is /18 and you x-late in subnet /24.
your config looks fine apart from the subnet /18 and /24.
you said remote side can see the ping are coming but you do not see the reply.
could you show the command output "show crypto ipsec sa peer x.x.x.x" where x.x.x.x is your remote public ip address.
also could you confirm the remote side also have configured 10.6.22.0/24 as remote network?
also add this command.
policy-map global_policy
class inspection_default
inspect icmp
object-group network Remote-Servers network-object host 43.X.X.3 network-object host 43.X.X.4 ! object network LOCAL-TO-REMOTE-XLATE subnet 10.6.22.0 255.255.255.0 ! access-list outside_1_cryptomap extended permit icmp object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging access-list outside_1_cryptomap extended permit ip object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging ! nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_18 LOCAL-TO-REMOTE-XLATE destination static Remote-Servers Remote-Servers crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 1.1.1.1 crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA crypto map outside_map 1 set security-association lifetime seconds 3600 crypto map outside_map interface outside crypto ikev1 enable outside ! crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 14 lifetime 43200 ! group-policy GroupPolicy_1.1.1.1 internal group-policy GroupPolicy_1.1.1.1 attributes vpn-tunnel-protocol ikev1 ! tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 general-attributes default-group-policy GroupPolicy_1.1.1.1 tunnel-group 1.1.1.1 ipsec-attributes ikev1 pre-shared-key ***** !
05-11-2022 05:31 AM
Just added the following:
policy-map global_policy
class inspection_default
inspect icmp
All working now.
05-11-2022 07:18 AM
For me and you will check it later not solve,
if the remote peer want to ping to ASA are it success ??
NO
you need NAT for overlapping in both side.
05-11-2022 07:24 AM
It has been fix.
I was missing
policy-map global_policy
class inspection_default
inspect icmp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide