cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
942
Views
0
Helpful
1
Replies

Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505

CSCO11857702
Level 1
Level 1

Problem : Unable to access user A to user B

User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} )  --- User B

After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.

Ping is unsuccessful from user A to user B

Ping is successful from user B to user A, data is accessable

After done the packet tracer from user A to user B,

Result :

Flow-lookup

Action : allow

Info: Found no matching flow, creating a new flow

Route-lookup

Action : allow

Info : 192.168.5.203 255.255.255.255 identity

Access-list

Action : drop

Config Implicit Rule

Result - The packet is dropped

Input Interface : inside

Output Interface : NP Identify Ifc

Info: (acl-drop)flow is denied by configured rule

Below is Cisco ASA 5505's show running-config

ASA Version 8.2(1)

!

hostname Asite

domain-name ssms1.com

enable password ZZZZ encrypted

passwd WWWW encrypted

names

name 82 B-firewall description Singapore office firewall

name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP

name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)

name 192.168.2.0 fw-inside-subnet description A office internal LAN IP

name 122 A-forti

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.203 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 93 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name ssms1.com

object-group network obj_any

network-object 0.0.0.0 0.0.0.0

access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240

access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0

access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0

access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0

access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http B-inside-subnet 255.255.255.0 inside

http fw-inside-subnet 255.255.255.0 inside

http 0.0.0.0 255.255.255.255 outside

http 0.0.0.0 0.0.0.0 outside

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer A-forti

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer B-firewall

crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes-192

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.5.10-192.168.5.20 inside

dhcpd dns 165 165 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username admin password XXX encrypted privilege 15

tunnel-group 122 type ipsec-l2l

tunnel-group 122 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

policy-map outside-policy

description ok

class outside-class

  inspect dns

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect icmp error

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

!

service-policy global_policy global

service-policy outside-policy interface outside

prompt hostname context

Cryptochecksum: XXX

: end

Kindly need your expertise&help to solve the problem

1 Reply 1

CSCO11857702
Level 1
Level 1

any1 can help me ?