Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2258
Views
0
Helpful
1
Replies

tunnel between asa5505 and Fortigate 80c up but no traffic

erwee1973
Level 1
Level 1

‎11-28-2011 12:39 AM

Hello all,

I have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG).

What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup'

To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer.

I run 8.4 software on the ASA and this is part of the relevant config:

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 192.168.196.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static NETWORK_OBJ_192.168.196.0_24 NETWORK_OBJ_192.168.196.0_24 no-proxy-arp route-lookup

route outside 0.0.0.0 0.0.0.0 172.16.0.138 (there is a nat device between the asa and the internet, i.e. a fritzbox modem)

crypto ipsec ikev1 transform-set 3des-sha1 esp-3des esp-sha-hmac

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set peer 194.109.xxx.xxx

crypto map outside_map 2 set ikev1 transform-set 3des-sha1

crypto map outside_map 2 set security-association lifetime seconds 86400

crypto map outside_map interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

group-policy GroupPolicy_194.109.xxx.xxx internal

group-policy GroupPolicy_194.109.xxx.xxx attributes

vpn-filter value outside_cryptomap_1

vpn-tunnel-protocol ikev1

tunnel-group 194.109.xxx.xxx type ipsec-l2l

tunnel-group 194.109.xxx.xxx general-attributes

default-group-policy GroupPolicy_194.109.xxx.xxx

tunnel-group 194.109.xxx.xxx ipsec-attributes

ikev1 pre-shared-key *****

Labels:
Preview file
84 KB
0 Helpful
1 Reply 1

erwee1973
Level 1
Level 1

‎11-28-2011 01:55 AM

Wel, actually the packet tracer output is allright now :S

I have rebuild my asa 5505 from scratch and created the tunnel again.

I note that the animation shows more 'hops' e.g. 2 times a vpn lookup while my earlier picture stopped at Access list lookup.

Actually I am still not able to send traffic over the line so I am going to check the Fortigate unit now.....

Kind regards,

Ralph

Arnhem Netherlands

0 Helpful
Customers Also Viewed These Support Documents