11-28-2011 12:39 AM
Hello all,
I have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG).
What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup'
To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer.
I run 8.4 software on the ASA and this is part of the relevant config:
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 192.168.196.0 255.255.255.0
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.196.0_24 NETWORK_OBJ_192.168.196.0_24 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 172.16.0.138 (there is a nat device between the asa and the internet, i.e. a fritzbox modem)
crypto ipsec ikev1 transform-set 3des-sha1 esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 194.109.xxx.xxx
crypto map outside_map 2 set ikev1 transform-set 3des-sha1
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
group-policy GroupPolicy_194.109.xxx.xxx internal
group-policy GroupPolicy_194.109.xxx.xxx attributes
vpn-filter value outside_cryptomap_1
vpn-tunnel-protocol ikev1
tunnel-group 194.109.xxx.xxx type ipsec-l2l
tunnel-group 194.109.xxx.xxx general-attributes
default-group-policy GroupPolicy_194.109.xxx.xxx
tunnel-group 194.109.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****
11-28-2011 01:55 AM
Wel, actually the packet tracer output is allright now :S
I have rebuild my asa 5505 from scratch and created the tunnel again.
I note that the animation shows more 'hops' e.g. 2 times a vpn lookup while my earlier picture stopped at Access list lookup.
Actually I am still not able to send traffic over the line so I am going to check the Fortigate unit now.....
Kind regards,
Ralph
Arnhem Netherlands
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide