Cisco IPSec issue between 870 and Fortigate Firewall


Currently have an issue getting my IPSec VPN up between a remote office with Cisco 870 using ADSL and my Fortigate 110C in my hosting centre.

My Fortigate has a fixd IP but the ADSL on the cisco is dynamic. I have seent the the isakmp seems successfuly and shows a connection however I dont seem to get the IPSec initiated.

I have attached the relevant parts of the Cisco config - please could someone help me out here.

The Cisco does have internet access and the VLan addresses all have access to the internet - just not the Remote network.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
you need to remove this nat statement "ip nat inside source list 100 interface Dialer1 overload"

as cisco will run the configuration from top to bottom, first NAT will match and all your cisco lan traffic will get NAT'ed.

also remove acl 100 too

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Why do you have two nat statements? the second is not needed, added multiple statements to access-list 100 to
ensure that VPN traffic is not encrypted.

access-list 100 deny ip
access-list 100 permit ip any

Use one nat overload command per interface:
ip nat inside source list 100 interface Dialer1 overload

Remove the other nat statement

try again,

harbor235 ;}
AntFutterAuthor Commented:
Thanks for the quick solutions

harbor235 - Your solution basically was the same as net expert, only that the 101 acl was bound to the crypto map so I needed rather to keep that one.

working for now. will need to look at routing other ip ranges over the same ipsec tunnel next!
No problems, I did not see netexperts comment. ;-}

harbor235 ;}
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.