Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎11-14-2005 12:00 AM

Article Id 192776

IPsec VPN: Cannot access multiple remote subnets behind a Cisco PiX firewall

Article
Description Only one subnet (or host) is accessible at a time, from the FortiGate.
Components
  • All FortiGate units, version 2.5 and 2.8
  • IPsec VPN between Fortigate and Cisco PiX firewall.
  • Several subnets (or individual hosts) are hosted behind the PiX and/or FortiGate (eg. 10.0.0.1/32 and 10.0.0.2/32 behind the FortiGate, and 192.168.1.0/24 and 192.168.2.0/24 behind the PiX).
  • Remote subnets (or hosts) are defined in the Fortigate as an Address Group (192.168.1.0/24 and 192.168.2.0/24).
Steps or Commands

As the PiX firewall creates one SA (security association) per access-list entry and the FortiGate unit creates one SA per phase-2, the FortiGate unit must have a separate phase-2 entry for each access-list line in the PiX config (see below).

access-list ipsec_vpn permit ip 192.168.1.0 255.255.255.0 host 10.0.0.1
access-list ipsec_vpn permit ip 192.168.2.0 255.255.255.0 host 10.0.0.2

In this example, the FortiGate will be configured with two Firewall Policies, each one using a unique Phase 2, and each one pointing to the respective remote destination network.  The Address Group with the combined remote networks will not be used.


Related Articles

List of articles about Fortigate IPSec VPN interoperability

Labels:
5728
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.