[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Trouble setting up VPN to Non-ASA box

Posted on 2011-09-18
Medium Priority
Last Modified: 2012-06-21
Our situation is as follows:

- On one end, an ASA 5505 running 8.3(1). Several servers in the subnet.

- On the other end, a Fortigate 60B. A backup server in the subnet.

- The tricky bit is that we want to NAT the addresses of the servers behind the ASA so that to the backup server they appear to be in the subnet.

- We're using an L2L IPsec VPN with standard settings. We don't have any trouble opening the tunnel. The problem is that none of the machines on each end can talk to each other. Packets from the backup server are received by the ASA, but they don't seem to go anywhere. Packets from the servers behind the ASA don't seem to reach the Fortigate. I'm pretty sure the problem is in my NAT rules or crypto map or one of those things.

- When the backup server behind the Fortigate tries to ping one of the servers at its NATed address, I see the ping come to the ASA and get NATed to the correct internal address, but then I get "regular translation creation failed for icmp" in the ASA log.

ASA config attached. Can anyone shed light on the issue?


Result of the command: "show run"

: Saved
ASA Version 8.3(1) 
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address [external IP] 
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
 switchport access vlan 3
interface Ethernet0/7
 switchport access vlan 3
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name domain.com
object network obj_any 
object network Inside_LAN 
object network VPN_Tunnel 
object network DMZ 
object network DMZ_10.100.100.0_24 
object network Backup_LAN 
 description Backup internal network 
object network Backup_NAT 
 description Backup NAT subnet for devices 
access-list vpn_splitTunnelAcl standard permit 
access-list outside_1_cryptomap extended permit ip object Backup_NAT object Backup_LAN 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ipsecvpnpool mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm631.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside_LAN Backup_NAT destination static Backup_LAN Backup_LAN
nat (inside,outside) source dynamic any interface
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source static Inside_LAN Inside_LAN destination static VPN_Tunnel VPN_Tunnel
object network obj_any
 nat (inside,outside) dynamic interface
object network DMZ
 nat (dmz,outside) dynamic interface
route outside [gateway IP] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer [Fortigate IP] 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address dmz
dhcpd dns interface dmz
dhcpd auto_config outside interface dmz
dhcpd enable dmz

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
group-policy vpn internal
group-policy vpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl
 vpn-group-policy vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
 address-pool ipsecvpnpool
 default-group-policy vpn
tunnel-group vpn ipsec-attributes
 pre-shared-key *****
tunnel-group [Fortigate IP] type ipsec-l2l
tunnel-group [Fortigate IP] ipsec-attributes
 pre-shared-key *****
prompt hostname context 
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end

Open in new window

Question by:netfriendsinc
  • 4
LVL 18

Expert Comment

ID: 36560285
Do your ACLs match up?  What you're doing looks right to me based on similar configurations I've done (using the NAT subnet and the real far-end subnet).  What ACL does the far end device use?

Author Comment

ID: 36562953
It's a simpler device, so it doesn't really use ACLs per se. The Fortigate UI actually shows each L2L VPN as a virtual "interface," so we have a static route directing traffic to that interface. All outbound traffic from the backup server is permitted. Only inbound ping traffic (for diagnostic purposes) is permitted. That's all the rules we have on that side.

Author Comment

ID: 36563041
I should clarify - all outbound traffic from the backup server to the subnet is permitted. Only inbound ping traffic from the subnet to the backup server is permitted.

Accepted Solution

netfriendsinc earned 0 total points
ID: 36583911
This problem was resolved by one or both of the following (not sure which, I did both and now it works):

1. In line 80, switched to nat (inside,any)
2. Added line: crypto map outside_map 1 set reverse-route

Author Closing Comment

ID: 36708137
Didn't get any help here, so I fixed it myself.

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question