Announcement

Collapse
No announcement yet.

VPN - Cisco router - fortigate 100D

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN - Cisco router - fortigate 100D

    Hi

    I need some help, been thrown in at the deepend here

    I have a cisco router at a remote site with a number of vlans and then a fortinet 100d firewall/router at the other

    I have the vpn tunnel up between the two sites and I can pass traffic to the virtual gateways for example

    Site 1

    10.9.33.0/24
    10.9.33.254 (gateway)

    Site 2

    10.9.254.0/24
    10.9.254.254 (gateway)

    So I am able to ping the gateways at each site but nothing else

    Why is this? I note the other devices are on switches and not connected directly to either of the routers.

    Would it be fair to say I need to add the remote ip range to the switches? As i am assuming the switches dont know how to route the inbound traffic

    Does that sound correct?

    Thank you for reading and your assistance

    Dom

  • #2
    Re: VPN - Cisco router - fortigate 100D

    If your switches are doing any routing themselves (layer 3 traffic) then yes, they would have to know about the route to the remote subnet. You say each device answers pings at its own site, but can the 2 routers ping each other?

    Sounds like there's some routing missing. Are the Cisco and Fortigate devices acting as the sole routers for all traffic at their respective locations, or are there other routing devices being used as well? If so, they have to have knowledge of the tunnel route to the other subnet.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: VPN - Cisco router - fortigate 100D

      Hi

      Thank you for your help

      They are layer 2 Cisco cat 2960's

      No they cant ping each other as i am going from vlan to vlan if that makes sense



      Thanks

      Dom

      Comment


      • #4
        Re: VPN - Cisco router - fortigate 100D

        what do your routes look like on the fortigate and the cisco?

        if they are layer 2 switches, then they've got no routing brain really, so they relyon the routers..
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: VPN - Cisco router - fortigate 100D

          Hi

          Here is are the routes

          ip nat pool Routed xx.53.143.241 xx.53.143.242 netmask 255.255.255.252
          ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
          ip nat inside source static 10.9.33.1 xx.53.143.242
          ip nat inside source static tcp 10.9.253.2 2806 xx.53.242.155 2806 extendable
          ip route 0.0.0.0 0.0.0.0 xx.53.242.154 permanent

          Here is the acl relating to the vpn

          access-list 101 remark CCP_ACL Category=18
          access-list 101 remark IPSec Rule
          access-list 101 deny ip 10.9.33.0 0.0.0.255 10.9.254.0 0.0.0.255
          &
          access-list 102 remark CCP_ACL Category=4
          access-list 102 remark IPSec Rule
          access-list 102 permit ip 10.9.33.0 0.0.0.255 10.9.254.0 0.0.0.255

          As we can ping the gateway 10.9.33.254 i am guessing its just a route that needs to be added to allow acess on to the vlan? the vlan id is 333

          Thank you

          Dom
          Last edited by DomB2015; 31st January 2015, 10:10.

          Comment


          • #6
            Re: VPN - Cisco router - fortigate 100D

            You say you can ping the gateway, but from where? And if you can ping the internal gateway address from the subnet at the other location, you should also be able to reach other hosts in the same subnet, as the IPsec tunnel definition seems to cover an entire subnet at each end.

            You're using IPsec, which means each network at both ends has to be explicitly declared as part of the tunnel definition. Your definition only covers one network at each end (10.9.33.0/24 and 10.9.254.0/24 respectively). If you have multiple VLANs at one end, each VLAN will be using a different IP subnet, and all these subnets must be specified as part of the tunnel definition.

            You've posted two access lists, but you've given no details as to how they are used. One contains a "deny" rule for all traffic going through the IPsec tunnel, while the other contains a ruleset doing the exact opposite. My guess is the first list is probably used to prevent the router from NAT overloading traffic going to the other site (assuming we're only seeing part of the list, because as it currently stands, it doesn't really do anything useful since it blocks all traffic), while the other list might represent the actual IPsec Phase 2 definitions. It would be nice not having to rely on guesswork, though.

            Is the Cisco router acting as the IPsec endpoint also doing all inter-VLAN routing, or is there another router involved?

            Do you have a network diagram you could post? A picture really does say more than a thousand words in a case like this, and if your network documentation doesn't currently include such a diagram, it might not be a bad idea to create one using a tool like Visio or Dia (the latter of which is completely free).

            Comment


            • #7
              Re: VPN - Cisco router - fortigate 100D

              Hi thanks for your reply.

              I dont have a diagram I will get one drawn.

              I used the cisco configuration professional to create the vpn tunnel. So the acl's were created by that.

              So i am able to ping from the 10.9.254.# network to the 10.9.33.254 gateway only. There are other devices on the 10.9.33.# network that i can ping locally when i am on that network.

              However i cant via the vpn ping any of the devices other than the gateway 10.9.33.254.

              The other end if this is a fortigate box which is showing as up and i can see traffic if i do a ping to the gateway ip address. The same can be said from the cisco end.

              Doing a tracert from the 10.9.254.x addresses and this shows as 1 hop between the two gateways. when i ping a device on the network thats when it dies and then shows multiple hops and times out.

              So I am lost as to where its a problem with the fortigate box or the cisco box. Using the fortigate vpn wizard doesnt create phase 2 authentication it relies on a strong key on phase 1. I am wondering if this could be the issue? just a thought

              On the fortigate box you need to create a static route. Could this be the case for the cisco?

              thank you guys

              Dom

              Comment


              • #8
                Re: VPN - Cisco router - fortigate 100D

                Having used different, older Fortigate devices, I can confirm what Ser Olmy says about the Phase 1 / Phase 2 settings. The Phase 2 negotiation is what sets up your permissions between subnets behind either endpoint. If there are 2 subnets behind the Fortigate and only 1 behind the Cisco, the Phase 2 has to include both subnets behind the Fortigate or either missing subnet won't be contactable from the Cisco side.

                Phase 1 sets up the security for the endpoints to agree to talk to each other, Phase 2 sets up the rules for what traffic will pass through them.
                *RicklesP*
                MSCA (2003/XP), Security+, CCNA

                ** Remember: credit where credit is due, and reputation points as appropriate **

                Comment


                • #9
                  Re: VPN - Cisco router - fortigate 100D

                  Ok

                  I have tired again today and still no joy the vpn is up and i can connect to the console of the cisco box from the fortinet network

                  So happy days

                  However I still cant get to 10.9.33.1

                  Could it be because we have a static nat in place that is routing the phone system out via one of our public ip address

                  A friend of mine said this might be the issue>?

                  Any help appreciated

                  Thank you guys & dolls

                  Dom

                  Comment


                  • #10
                    Re: VPN - Cisco router - fortigate 100D

                    How about that network diagram that Ser Olmy asked for? It would help a lot.
                    *RicklesP*
                    MSCA (2003/XP), Security+, CCNA

                    ** Remember: credit where credit is due, and reputation points as appropriate **

                    Comment

                    Working...
                    X