Trouble setting up VPN to Non-ASA box

Posted on 2011-09-18
Last Modified: 2012-06-21
Our situation is as follows:

- On one end, an ASA 5505 running 8.3(1). Several servers in the subnet.

- On the other end, a Fortigate 60B. A backup server in the subnet.

- The tricky bit is that we want to NAT the addresses of the servers behind the ASA so that to the backup server they appear to be in the subnet.

- We're using an L2L IPsec VPN with standard settings. We don't have any trouble opening the tunnel. The problem is that none of the machines on each end can talk to each other. Packets from the backup server are received by the ASA, but they don't seem to go anywhere. Packets from the servers behind the ASA don't seem to reach the Fortigate. I'm pretty sure the problem is in my NAT rules or crypto map or one of those things.

- When the backup server behind the Fortigate tries to ping one of the servers at its NATed address, I see the ping come to the ASA and get NATed to the correct internal address, but then I get "regular translation creation failed for icmp" in the ASA log.

ASA config attached. Can anyone shed light on the issue?


Result of the command: "show run"

: Saved
ASA Version 8.3(1) 
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address [external IP] 
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
 switchport access vlan 3
interface Ethernet0/7
 switchport access vlan 3
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
object network obj_any 
object network Inside_LAN 
object network VPN_Tunnel 
object network DMZ 
object network DMZ_10.100.100.0_24 
object network Backup_LAN 
 description Backup internal network 
object network Backup_NAT 
 description Backup NAT subnet for devices 
access-list vpn_splitTunnelAcl standard permit 
access-list outside_1_cryptomap extended permit ip object Backup_NAT object Backup_LAN 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ipsecvpnpool mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm631.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside_LAN Backup_NAT destination static Backup_LAN Backup_LAN
nat (inside,outside) source dynamic any interface
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source static Inside_LAN Inside_LAN destination static VPN_Tunnel VPN_Tunnel
object network obj_any
 nat (inside,outside) dynamic interface
object network DMZ
 nat (dmz,outside) dynamic interface
route outside [gateway IP] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer [Fortigate IP] 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address dmz
dhcpd dns interface dmz
dhcpd auto_config outside interface dmz
dhcpd enable dmz

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
group-policy vpn internal
group-policy vpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl
 vpn-group-policy vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
 address-pool ipsecvpnpool
 default-group-policy vpn
tunnel-group vpn ipsec-attributes
 pre-shared-key *****
tunnel-group [Fortigate IP] type ipsec-l2l
tunnel-group [Fortigate IP] ipsec-attributes
 pre-shared-key *****
prompt hostname context 
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end

Open in new window

Question by:netfriendsinc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
LVL 18

Expert Comment

ID: 36560285
Do your ACLs match up?  What you're doing looks right to me based on similar configurations I've done (using the NAT subnet and the real far-end subnet).  What ACL does the far end device use?

Author Comment

ID: 36562953
It's a simpler device, so it doesn't really use ACLs per se. The Fortigate UI actually shows each L2L VPN as a virtual "interface," so we have a static route directing traffic to that interface. All outbound traffic from the backup server is permitted. Only inbound ping traffic (for diagnostic purposes) is permitted. That's all the rules we have on that side.

Author Comment

ID: 36563041
I should clarify - all outbound traffic from the backup server to the subnet is permitted. Only inbound ping traffic from the subnet to the backup server is permitted.

Accepted Solution

netfriendsinc earned 0 total points
ID: 36583911
This problem was resolved by one or both of the following (not sure which, I did both and now it works):

1. In line 80, switched to nat (inside,any)
2. Added line: crypto map outside_map 1 set reverse-route

Author Closing Comment

ID: 36708137
Didn't get any help here, so I fixed it myself.

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Deny permission ACL 16 47
Equivalent of WSUS for Solaris, AIX and Cisco devices 11 75
Why isn't my network passing a certain vlan. 24 48
HP Storage and Cisco Nexus 4 11
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question