Cisco to FortiGate Command Conversion

KB ID 0001776

Problem

Bah what the hell is ‘show run‘? If you’ve spent years on Cisco IOS and ASA/Firepower, then FortiGate can be a little confusing. Hopefully this Cisco to FortiGate list below will make it a little easier.

Cisco to Fortigate Translation

Cisco Command FortiGate Command
Basic commands
show run show full-config
show version get system status
show ip interface brief show system interface
show run interface x/x show system interface <port #>
show interface x/x get hardware nic <port #> / diagnose hardware deviceinfo nic
show ip arp diagnose ip arp list
show mac address-table diagnose switch mac-address list | grep -i mac
show lldp neighbor diagnose lldprx neighbor summary
show ip nat translation get system session list
show vlan diagnose switch vlan list
show failover diagnose system ha status
copy running-configuration startup-configuration execute backup config
reload execute reboot
ping x.x.x.x execute ping x.x.x.x
Basic Routing Commands
show ip route get router info routing-table all
show ip route x.x.x.x get router info routing-table details x.x.x.x
sh ip route summary get router info routing-table all
show  run | sec route-map show router route-map
show run | sec ip prefix-list show router prefix-list
OSPF Commands
show ip ospf neighbor get router info ospf neighbor
show ip ospf neighbor details get router info ospf neighbor detail all
BGP Commands
show ip bgp summary get router info bgp summary
show run | sec router bgp show router bgp
show ip bgp neighbor x.x.x.x routes get router info bgp neighbors x.x.x.x routes
show ip bgp neighbor x.x.x.x advertised-routes get router info bgp neighbors x.x.x.x advertised-routes
show ip bgp neighbor x.x.x.x received-routes get router info bgp neighbors x.x.x.x received-routes
show ip bgp x.x.x.x get router info bgp network x.x.x.x
VPN Commands
show crypto isakmp diagnose vpn ike gateway list
show crypto ipsec sa diagnose vpn tunnel list

Please comment below if you want to add any I’ve missed.

Related Articles, References, Credits, or External Links

NA

Fortigate to Cisco ASA Site to Site VPN

KB ID 0001717

Problem

Continuing with my ‘Learn some Fortigate‘ theme’. One of the basic requirements of any edge firewall is site to site VPN. As the bulk of my knowledge is Cisco ASA it seems sensible for me to work out how to VPN both those firewalls together, like so;

Well that’s the pretty picture, I’m building this EVE-NG so here’s what my workbench topology looks like;

Disclaimer (Read First! Especially before posting any comments!)

Fortinet prides itself on you not needing to use the CLI, (until you actually need to use the CLI of course!) But both ends are configured using the GUI and ASDM. This is designed for the ‘Let’s just make it work, who cares what’s going on under the hood‘ generation. Which means it enables IKEv1 NOT IKEv2 on the Fortigate, and BOTH IKEv1 and IKEv2 gets enabled on the Cisco ASA. Couple that with all the weak Crypto sets that get enabled, because someone might have a hardware firewall from 1981 or something! So in production I’d consider doing things a little more manually. I will post another article on the same subject, but then I’ll make the tunnel as secure as I can, (watch this space). This is an exercise in getting the tunnel up and making it work.

Tech Note: If you just use both wizards it wont work, thankfully I could debug the tunnel on the Cisco ASA to work out why. Fortinet sets all the DH groups to 5, and Cisco sets them all to 2. And Fortinet enables PFS and Cisco don’t. (They do on older versions of the OS, but not on the newer ones).

Create IKE/IPSec VPN Tunnel On Fortigate

From the web management portal > VPN > IPSec Wizard  > Give the tunnel a name > Change the remote device type to Cisco > Next.

Give it the ‘public’ IP of the Cisco ASA > Set the port to the ‘outside’ port on the Fortigate > Enter a pre-shared key, (text string, you will need to enter this on the Cisco ASA as well, so paste it into Notepad or something for later) > Next.

Local interface will be in the ‘inside’ interface on the Fortigate > Enter the local subnet(s) > Enter the remote (behind the ASA) subnet(s) > Next.

Review the settings > Create.

Select IPSec Tunnels > Select the new tunnel  > Edit.

Convert to Custom Tunnel.

Phase 1 Proposal > Edit.

Add in Diffie Hellman Group 2

Phase 2 Selectors > Edit > Advanced > Untick Enable Perfect Forward Secrecy > OK.

Create IKE/IPSec VPN Tunnel On Cisco ASA (ASDM)

Connect to the ASDM > Wizards  > VPN Wizards > Site-to-Site VPN Wizard > Next.

You should already have an object for your Local Network add that in > Then add in a new Network Object for the remote (behind the Fortigate) subnet. MAKE SURE that the new object is selected as the Remote Network > Next.

Enter the Pre-Shared key you used (above)  > Next > Tick to DISABLE NAT > Next > Finish.

Tech Note: Look at all those Ciphers/Hashing/Additional Protocols that are about to be turned on! 🙁 That’s why I work at command line.

Finally you will need to send some traffic over the tunnel to ‘bring it up’.

If you have a problem, see the debugging/troubleshooting links below.

Related Articles, References, Credits, or External Links

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels