promap
asked on
PIX 506e to SonicWall 4060 Site to Site VPN
I'm trying to create a site-to-site VPN tunnel between my PIX 506e and a remote SonicWall 4060. I've run through Cisco's VPN wizard and it appears to successfully be talking to the SonicWall but no traffic can flow between them. I say it appears to be working because I start seeing IKE tunnels show up when I look in the PDM (web interface), but the tunnels continue to be created and no traffic comes through. At one point I had 600+ IKE tunnels sitting in a QM_IDLE state but no traffic flowing.
We've contacted SonicWall and they say the SonicWall is configured correctly, but they can't support 3rd party products. They pointed me to a document that explains how to have a PIX talk to a SonicWall, but no luck with that.
Any ideas? Let me know if you need to see the PIX configuration if that helps.
Thanks
We've contacted SonicWall and they say the SonicWall is configured correctly, but they can't support 3rd party products. They pointed me to a document that explains how to have a PIX talk to a SonicWall, but no luck with that.
Any ideas? Let me know if you need to see the PIX configuration if that helps.
Thanks
ASKER
PFS is not enabled on either end. The SonicWall documentation is here: http://www.sonicwall.com/support/pdfs/vpn_interop/SonicWALL_VPN_with_Cisco_PIX_using_IKE_6_4_2.pdf
Using the Cisco VPN wizard generates all the commands that SonicWall is telling me to use.
Here's my PIX config:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name x.x.x.x x
object-group network web_servers
description Servers and workstations that host HTTP content
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network smtp_servers
description Servers and workstations that process SMTP content
network-object host x.x.x.x
object-group network vnc_servers
description Servers and workstations that host VNC content
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network rdp_servers
description Servers and workstations that require RDP communication
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network dns_servers
description Servers and workstations that respond to DNS queries
network-object host x.x.x.x
object-group network ping_responders
description Servers and workstations that will respond to pings
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network time_servers
description Servers and workstations that need NTP data
network-object host x.x.x.x
network-object host x.x.x.x
object-group icmp-type icmp_traffic
description Types of ICMP traffic to permit
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object information-reply
icmp-object mask-reply
icmp-object parameter-problem
icmp-object timestamp-reply
object-group network https_servers
description Servers and workstations that host HTTPS content
network-object host x.x.x.x
object-group network web_servers_real
description Servers and workstations that host HTTP content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network https_servers_real
description Servers and workstations that host HTTPS content
network-object x.x.x.x 255.255.255.255
object-group network smtp_servers_real
description Servers and workstations that process SMTP content
network-object x.x.x.x 255.255.255.255
object-group network vnc_servers_real
description Servers and workstations that host VNC content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network rdp_servers_real
description Servers and workstations that require RDP communication
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network dns_servers_real
description Servers and workstations that respond to DNS queries
network-object x.x.x.x 255.255.255.255
object-group network time_servers_real
description Servers and workstations that need NTP data
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network ping_responders_real
description Servers and workstations that will respond to pings
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network web_servers_real1
description Servers and workstations that host HTTP content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
access-list 100 permit tcp any object-group web_servers eq www
access-list 100 permit tcp any object-group https_servers eq https
access-list 100 permit tcp any object-group vnc_servers eq 5500
access-list 100 permit tcp any object-group rdp_servers eq 3389
access-list 100 permit udp any object-group dns_servers eq domain
access-list 100 permit icmp any any object-group icmp_traffic
access-list 100 permit icmp any object-group ping_responders echo
access-list 100 permit tcp any object-group smtp_servers eq smtp
access-list 100 permit tcp any object-group https_servers eq ftp
access-list 100 permit tcp any object-group https_servers eq ftp-data
access-list 100 permit udp any object-group time_servers eq ntp
access-list 100 permit tcp host x.x.x.x host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq 5151
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
access-list x_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside x.x.x.x
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside x.x.x.x 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool REMOTE x.x.x.x-x.x.x.x
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.192 outside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x 255.255.224.0 outside
pdm group web_servers_real inside
pdm group https_servers_real inside
pdm group smtp_servers_real inside
pdm group vnc_servers_real inside
pdm group rdp_servers_real inside
pdm group dns_servers_real inside
pdm group time_servers_real inside
pdm group ping_responders_real inside
pdm group https_servers outside reference https_servers_real
pdm group smtp_servers outside reference smtp_servers_real
pdm group rdp_servers outside reference rdp_servers_real
pdm group dns_servers outside reference dns_servers_real
pdm group time_servers outside reference time_servers_real
pdm group ping_responders outside reference ping_responders_real
pdm group web_servers_real1 inside
pdm group web_servers outside reference web_servers_real1
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128
global (outside) 1 x.x.x.x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http x.x.x.x 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact x
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
isakmp enable outside
isakmp nat-traversal 20
vpngroup x address-pool REMOTE
vpngroup x dns-server x.x.x.x x.x.x.x
vpngroup x default-domain x.com
vpngroup x split-tunnel x_splitTunnelAcl
vpngroup x idle-time 1800
vpngroup x password ********
telnet x.x.x.x 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1893d6251ad
: end
[OK]
Using the Cisco VPN wizard generates all the commands that SonicWall is telling me to use.
Here's my PIX config:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name x.x.x.x x
object-group network web_servers
description Servers and workstations that host HTTP content
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network smtp_servers
description Servers and workstations that process SMTP content
network-object host x.x.x.x
object-group network vnc_servers
description Servers and workstations that host VNC content
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network rdp_servers
description Servers and workstations that require RDP communication
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network dns_servers
description Servers and workstations that respond to DNS queries
network-object host x.x.x.x
object-group network ping_responders
description Servers and workstations that will respond to pings
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network time_servers
description Servers and workstations that need NTP data
network-object host x.x.x.x
network-object host x.x.x.x
object-group icmp-type icmp_traffic
description Types of ICMP traffic to permit
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object information-reply
icmp-object mask-reply
icmp-object parameter-problem
icmp-object timestamp-reply
object-group network https_servers
description Servers and workstations that host HTTPS content
network-object host x.x.x.x
object-group network web_servers_real
description Servers and workstations that host HTTP content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network https_servers_real
description Servers and workstations that host HTTPS content
network-object x.x.x.x 255.255.255.255
object-group network smtp_servers_real
description Servers and workstations that process SMTP content
network-object x.x.x.x 255.255.255.255
object-group network vnc_servers_real
description Servers and workstations that host VNC content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network rdp_servers_real
description Servers and workstations that require RDP communication
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network dns_servers_real
description Servers and workstations that respond to DNS queries
network-object x.x.x.x 255.255.255.255
object-group network time_servers_real
description Servers and workstations that need NTP data
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network ping_responders_real
description Servers and workstations that will respond to pings
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network web_servers_real1
description Servers and workstations that host HTTP content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
access-list 100 permit tcp any object-group web_servers eq www
access-list 100 permit tcp any object-group https_servers eq https
access-list 100 permit tcp any object-group vnc_servers eq 5500
access-list 100 permit tcp any object-group rdp_servers eq 3389
access-list 100 permit udp any object-group dns_servers eq domain
access-list 100 permit icmp any any object-group icmp_traffic
access-list 100 permit icmp any object-group ping_responders echo
access-list 100 permit tcp any object-group smtp_servers eq smtp
access-list 100 permit tcp any object-group https_servers eq ftp
access-list 100 permit tcp any object-group https_servers eq ftp-data
access-list 100 permit udp any object-group time_servers eq ntp
access-list 100 permit tcp host x.x.x.x host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq 5151
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
access-list x_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside x.x.x.x
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside x.x.x.x 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool REMOTE x.x.x.x-x.x.x.x
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.192 outside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x 255.255.224.0 outside
pdm group web_servers_real inside
pdm group https_servers_real inside
pdm group smtp_servers_real inside
pdm group vnc_servers_real inside
pdm group rdp_servers_real inside
pdm group dns_servers_real inside
pdm group time_servers_real inside
pdm group ping_responders_real inside
pdm group https_servers outside reference https_servers_real
pdm group smtp_servers outside reference smtp_servers_real
pdm group rdp_servers outside reference rdp_servers_real
pdm group dns_servers outside reference dns_servers_real
pdm group time_servers outside reference time_servers_real
pdm group ping_responders outside reference ping_responders_real
pdm group web_servers_real1 inside
pdm group web_servers outside reference web_servers_real1
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128
global (outside) 1 x.x.x.x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http x.x.x.x 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact x
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
isakmp enable outside
isakmp nat-traversal 20
vpngroup x address-pool REMOTE
vpngroup x dns-server x.x.x.x x.x.x.x
vpngroup x default-domain x.com
vpngroup x split-tunnel x_splitTunnelAcl
vpngroup x idle-time 1800
vpngroup x password ********
telnet x.x.x.x 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1893d6251ad
: end
[OK]
Assuming that this line represents your internal LAN -> remote subnet behind the Sonicwall
>access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
All you need is the single line
access-list inside_outbound_nat0_acl permit ip <local subnet> <mask> <remote subnet> <mask>
You do not need these two lines at all:
>access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
>access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
You do not have a crypto map or isakmp at all.. Using the examples in the document, you need to add the following to the PIX:
access-list pixtosw permit ip <local subnet> <mask> <remote subnet> <mask>
crypto ipsec security-association lifetime seconds 28800
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer <public IP of Sonicwall>
crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
crypto map tosonicwall interface outside
isakmp key <secretkey> address <public IP of Sonicwall> netmask 255.255.255.255
isakmp identiy address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
isakmp enable outside
Once you have added those commands, you can check to see if the tunnel is up using
pix#sho cry is sa
Looking for QM_IDLE state with remote peer IP of the Sonicwall
>access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
All you need is the single line
access-list inside_outbound_nat0_acl permit ip <local subnet> <mask> <remote subnet> <mask>
You do not need these two lines at all:
>access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
>access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
You do not have a crypto map or isakmp at all.. Using the examples in the document, you need to add the following to the PIX:
access-list pixtosw permit ip <local subnet> <mask> <remote subnet> <mask>
crypto ipsec security-association lifetime seconds 28800
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer <public IP of Sonicwall>
crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
crypto map tosonicwall interface outside
isakmp key <secretkey> address <public IP of Sonicwall> netmask 255.255.255.255
isakmp identiy address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
isakmp enable outside
Once you have added those commands, you can check to see if the tunnel is up using
pix#sho cry is sa
Looking for QM_IDLE state with remote peer IP of the Sonicwall
ASKER
Seems to be connected, but right now it has 4 SAs with QM_IDLE state. This is a lot better than before when it would open 700 connections, but I'm curious why it needs more than 1 SA.
Also, I can't ping anything on the remote subnet. Should I remove those access-list entries (inside_outbound_nat0_acl)
Thanks
Also, I can't ping anything on the remote subnet. Should I remove those access-list entries (inside_outbound_nat0_acl)
Thanks
ASKER
Just an update, but I now have 80 SAs sitting in a QM_IDLE state. Shouldn't there only be 1 between the sites?
>Shouldn't there only be 1 between the sites?
Yes. Only one
>Should I remove those access-list entries (inside_outbound_nat0_acl)
No. These are absolutely necessary.
I will assume that the PIX is your default gateway on the local LAN?
Can I also assume that the Sonicwall is the default gateway on the remote side?
Can you post result of
sho cry ip sa, at least the first part that identifies local/remote networks and counters for encap/decaps/errors
Yes. Only one
>Should I remove those access-list entries (inside_outbound_nat0_acl)
No. These are absolutely necessary.
I will assume that the PIX is your default gateway on the local LAN?
Can I also assume that the Sonicwall is the default gateway on the remote side?
Can you post result of
sho cry ip sa, at least the first part that identifies local/remote networks and counters for encap/decaps/errors
ASKER
Doesn't the pixtosw access-list take care of everything necessary for this tunnel?
PIX is default gateway at local site and Sonicwall is default gateway at remote side.
Here's the counters:
Details for 192.168.10.0/255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.
remote ident (addr/mask/prot/port): (TSC-INDY/255.255.224.0/0/
current_peer: 207.250.51.66:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 31405, #pkts decrypt: 31405, #pkts verify 31405
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 216.81.173.123, remote crypto endpt.: 207.250.51.66
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: ac4f053e
inbound esp sas:
spi: 0xc3463404(3276157956)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: tosonicwall
sa timing: remaining key lifetime (k/sec): (4607996/28712)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xac4f053e(2890859838)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: tosonicwall
sa timing: remaining key lifetime (k/sec): (4608000/28727)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
PIX is default gateway at local site and Sonicwall is default gateway at remote side.
Here's the counters:
Details for 192.168.10.0/255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.
remote ident (addr/mask/prot/port): (TSC-INDY/255.255.224.0/0/
current_peer: 207.250.51.66:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 31405, #pkts decrypt: 31405, #pkts verify 31405
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 216.81.173.123, remote crypto endpt.: 207.250.51.66
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: ac4f053e
inbound esp sas:
spi: 0xc3463404(3276157956)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: tosonicwall
sa timing: remaining key lifetime (k/sec): (4607996/28712)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xac4f053e(2890859838)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: tosonicwall
sa timing: remaining key lifetime (k/sec): (4608000/28727)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 31405, #pkts decrypt: 31405, #pkts verify 31405
Lots of decaps, no encaps.
Can you post your new PIX config? Do you still have this?
nat (inside) 0 access-list inside_outbound_nat0_acl
> #pkts decaps: 31405, #pkts decrypt: 31405, #pkts verify 31405
Lots of decaps, no encaps.
Can you post your new PIX config? Do you still have this?
nat (inside) 0 access-list inside_outbound_nat0_acl
ASKER
Here's the current config:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name x.x.x.x x
object-group network web_servers
description Servers and workstations that host HTTP content
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network smtp_servers
description Servers and workstations that process SMTP content
network-object host x.x.x.x
object-group network vnc_servers
description Servers and workstations that host VNC content
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network rdp_servers
description Servers and workstations that require RDP communication
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network dns_servers
description Servers and workstations that respond to DNS queries
network-object host x.x.x.x
object-group network ping_responders
description Servers and workstations that will respond to pings
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network time_servers
description Servers and workstations that need NTP data
network-object host x.x.x.x
network-object host x.x.x.x
object-group icmp-type icmp_traffic
description Types of ICMP traffic to permit
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object information-reply
icmp-object mask-reply
icmp-object parameter-problem
icmp-object timestamp-reply
object-group network https_servers
description Servers and workstations that host HTTPS content
network-object host x.x.x.x
object-group network web_servers_real
description Servers and workstations that host HTTP content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network https_servers_real
description Servers and workstations that host HTTPS content
network-object x.x.x.x 255.255.255.255
object-group network smtp_servers_real
description Servers and workstations that process SMTP content
network-object x.x.x.x 255.255.255.255
object-group network vnc_servers_real
description Servers and workstations that host VNC content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network rdp_servers_real
description Servers and workstations that require RDP communication
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network dns_servers_real
description Servers and workstations that respond to DNS queries
network-object x.x.x.x 255.255.255.255
object-group network time_servers_real
description Servers and workstations that need NTP data
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network ping_responders_real
description Servers and workstations that will respond to pings
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network web_servers_real1
description Servers and workstations that host HTTP content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
access-list 100 permit tcp any object-group web_servers eq www
access-list 100 permit tcp any object-group https_servers eq https
access-list 100 permit tcp any object-group vnc_servers eq 5500
access-list 100 permit tcp any object-group rdp_servers eq 3389
access-list 100 permit udp any object-group dns_servers eq domain
access-list 100 permit icmp any any object-group icmp_traffic
access-list 100 permit icmp any object-group ping_responders echo
access-list 100 permit tcp any object-group smtp_servers eq smtp
access-list 100 permit tcp any object-group https_servers eq ftp
access-list 100 permit tcp any object-group https_servers eq ftp-data
access-list 100 permit udp any object-group time_servers eq ntp
access-list 100 permit tcp host x.x.x.x host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq 5151
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
access-list x_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
access-list pixtosw permit ip x.x.x.x 255.255.255.255 x 255.255.255.255
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside x.x.x.x
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside x.x.x.x 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool REMOTE x.x.x.x-x.x.x.x
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.192 outside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x 255.255.224.0 outside
pdm group web_servers_real inside
pdm group https_servers_real inside
pdm group smtp_servers_real inside
pdm group vnc_servers_real inside
pdm group rdp_servers_real inside
pdm group dns_servers_real inside
pdm group time_servers_real inside
pdm group ping_responders_real inside
pdm group https_servers outside reference https_servers_real
pdm group smtp_servers outside reference smtp_servers_real
pdm group rdp_servers outside reference rdp_servers_real
pdm group dns_servers outside reference dns_servers_real
pdm group time_servers outside reference time_servers_real
pdm group ping_responders outside reference ping_responders_real
pdm group web_servers_real1 inside
pdm group web_servers outside reference web_servers_real1
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128
global (outside) 1 x.x.x.x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http x.x.x.x 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact x
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer x.x.x.x
crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup x address-pool REMOTE
vpngroup x dns-server x.x.x.x x.x.x.x
vpngroup x default-domain x.com
vpngroup x split-tunnel x_splitTunnelAcl
vpngroup x idle-time 1800
vpngroup x password ********
telnet x.x.x.x 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1893d6251ad
: end
[OK]
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name x.x.x.x x
object-group network web_servers
description Servers and workstations that host HTTP content
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network smtp_servers
description Servers and workstations that process SMTP content
network-object host x.x.x.x
object-group network vnc_servers
description Servers and workstations that host VNC content
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network rdp_servers
description Servers and workstations that require RDP communication
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network dns_servers
description Servers and workstations that respond to DNS queries
network-object host x.x.x.x
object-group network ping_responders
description Servers and workstations that will respond to pings
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
object-group network time_servers
description Servers and workstations that need NTP data
network-object host x.x.x.x
network-object host x.x.x.x
object-group icmp-type icmp_traffic
description Types of ICMP traffic to permit
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object information-reply
icmp-object mask-reply
icmp-object parameter-problem
icmp-object timestamp-reply
object-group network https_servers
description Servers and workstations that host HTTPS content
network-object host x.x.x.x
object-group network web_servers_real
description Servers and workstations that host HTTP content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network https_servers_real
description Servers and workstations that host HTTPS content
network-object x.x.x.x 255.255.255.255
object-group network smtp_servers_real
description Servers and workstations that process SMTP content
network-object x.x.x.x 255.255.255.255
object-group network vnc_servers_real
description Servers and workstations that host VNC content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network rdp_servers_real
description Servers and workstations that require RDP communication
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network dns_servers_real
description Servers and workstations that respond to DNS queries
network-object x.x.x.x 255.255.255.255
object-group network time_servers_real
description Servers and workstations that need NTP data
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network ping_responders_real
description Servers and workstations that will respond to pings
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group network web_servers_real1
description Servers and workstations that host HTTP content
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
access-list 100 permit tcp any object-group web_servers eq www
access-list 100 permit tcp any object-group https_servers eq https
access-list 100 permit tcp any object-group vnc_servers eq 5500
access-list 100 permit tcp any object-group rdp_servers eq 3389
access-list 100 permit udp any object-group dns_servers eq domain
access-list 100 permit icmp any any object-group icmp_traffic
access-list 100 permit icmp any object-group ping_responders echo
access-list 100 permit tcp any object-group smtp_servers eq smtp
access-list 100 permit tcp any object-group https_servers eq ftp
access-list 100 permit tcp any object-group https_servers eq ftp-data
access-list 100 permit udp any object-group time_servers eq ntp
access-list 100 permit tcp host x.x.x.x host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq 5151
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
access-list x_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
access-list pixtosw permit ip x.x.x.x 255.255.255.255 x 255.255.255.255
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside x.x.x.x
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside x.x.x.x 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool REMOTE x.x.x.x-x.x.x.x
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.192 outside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x 255.255.224.0 outside
pdm group web_servers_real inside
pdm group https_servers_real inside
pdm group smtp_servers_real inside
pdm group vnc_servers_real inside
pdm group rdp_servers_real inside
pdm group dns_servers_real inside
pdm group time_servers_real inside
pdm group ping_responders_real inside
pdm group https_servers outside reference https_servers_real
pdm group smtp_servers outside reference smtp_servers_real
pdm group rdp_servers outside reference rdp_servers_real
pdm group dns_servers outside reference dns_servers_real
pdm group time_servers outside reference time_servers_real
pdm group ping_responders outside reference ping_responders_real
pdm group web_servers_real1 inside
pdm group web_servers outside reference web_servers_real1
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128
global (outside) 1 x.x.x.x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http x.x.x.x 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact x
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer x.x.x.x
crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup x address-pool REMOTE
vpngroup x dns-server x.x.x.x x.x.x.x
vpngroup x default-domain x.com
vpngroup x split-tunnel x_splitTunnelAcl
vpngroup x idle-time 1800
vpngroup x password ********
telnet x.x.x.x 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1893d6251ad
: end
[OK]
Since you insist on masking out all of the ips' both public and private, you are making this difficult.
Private IP's are Private IP's and are not reachable. If you accidently post something that you think should be masked, I can edit it out for you.
Check the subnet masks on this line. I'd bet that they should be 255.255.255.0 and 255.255.224.0, respectively
> access-list pixtosw permit ip x.x.x.x 255.255.255.255 x 255.255.255.255
should be
access-list pixtosw permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0
To match what you have posted here:
> local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.
> remote ident (addr/mask/prot/port): (TSC-INDY/255.255.224.0/0/
You have to make sure that the mask for TSC-INDY, 255.255.224.0 does not encompas your local LAN subnet
Private IP's are Private IP's and are not reachable. If you accidently post something that you think should be masked, I can edit it out for you.
Check the subnet masks on this line. I'd bet that they should be 255.255.255.0 and 255.255.224.0, respectively
> access-list pixtosw permit ip x.x.x.x 255.255.255.255 x 255.255.255.255
should be
access-list pixtosw permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0
To match what you have posted here:
> local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.
> remote ident (addr/mask/prot/port): (TSC-INDY/255.255.224.0/0/
You have to make sure that the mask for TSC-INDY, 255.255.224.0 does not encompas your local LAN subnet
ASKER
Sorry if I'm making it difficult. I'm not sure how much information to give out without compromising any kind of security. I tend to err on the side of paranoia before all else.
The actual access-list statement is:
access-list pixtosw permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0
If I did the numbers right, 192.168.32.0 /19 should not encompass my local LAN (192.168.10.0 /24). Right?
The actual access-list statement is:
access-list pixtosw permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0
If I did the numbers right, 192.168.32.0 /19 should not encompass my local LAN (192.168.10.0 /24). Right?
ASKER
This might be a stupid question but looking back on this...don't I need to use an access-group command to actually apply the pixtosw access-list to an interface? If so, how do I do that? I'm reading in my PIX book that you can only have one ACL applied to an interface....if I change the ACL name to 100 instead of pixtosw would this all start working?
>don't I need to use an access-group command to actually apply the pixtosw access-list to an interface?
No. The single command "sysopt connection permit-ipsec"
negates the need for access-lists applied to interfaces
How about saving the config with what you have, and reboot the darn thing? Power it off completely, let it sit for 2 full minutes and power it back up...
If TSC-INDY = 192.168.32.0 / 19 you should be OK.
No. The single command "sysopt connection permit-ipsec"
negates the need for access-lists applied to interfaces
How about saving the config with what you have, and reboot the darn thing? Power it off completely, let it sit for 2 full minutes and power it back up...
If TSC-INDY = 192.168.32.0 / 19 you should be OK.
ASKER
Okay, I just powered it back up after a 2 minute off time. Still can't get through to the remote site. Any other ideas?
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
Do any of the above look like
access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
Do any of the above look like
access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0
ASKER
Those 3 lines are:
access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.10.192 255.255.255.192
They are lines that the PDM generated when I had a remote VPN setup enabled. Could I not replace all 3 of those with that single pixtosw access-list entry?
access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.10.192 255.255.255.192
They are lines that the PDM generated when I had a remote VPN setup enabled. Could I not replace all 3 of those with that single pixtosw access-list entry?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It worked!!!! I'm able to successfully ping and connect to shares on the remote site!!!
Was it the nat statement? Because the ACL inside_outbound_nat0_acl is exactly the same as ACL pixtosw.
If it is I'm going to change it so it's a nat statement against pixtosw because that name is a little bit more descriptive.
I'm going to try it for a couple of days and if all goes well the points are yours.
Thanks!
Was it the nat statement? Because the ACL inside_outbound_nat0_acl is exactly the same as ACL pixtosw.
If it is I'm going to change it so it's a nat statement against pixtosw because that name is a little bit more descriptive.
I'm going to try it for a couple of days and if all goes well the points are yours.
Thanks!
Obviously, it was the nat statement.
Yes, the nat_0_acl is exactly the same as the pixtosw
I still advise changing it to use pixtosw. Two different processes using the same acl, and any future growth to a new VPN or vpn clients will be hazardous. Please leave it as is for now.
Wooo hoooo!!!
Glad you're working!
Yes, the nat_0_acl is exactly the same as the pixtosw
I still advise changing it to use pixtosw. Two different processes using the same acl, and any future growth to a new VPN or vpn clients will be hazardous. Please leave it as is for now.
Wooo hoooo!!!
Glad you're working!
ASKER
Well IP traffic gets across okay. What if I wanted to connect to a server on the remote side? I can map a drive by IP address, but not by NetBIOS name. Is it possible to connect to NetBIOS shares on the remote site?
>Is it possible to connect to NetBIOS shares on the remote site?
Of course! But -- Netbios broadcasts are not going to cross the VPN, so you need a different method of resolving.
LHMOSTS is one way, WINS is the other way.
If everyone is on XP with Windows 2000 Active Directory, then DNS would take care of it
How Browsing a Wide Area Network Works:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q117633&
Problems seeing workgroups when connected to a router:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315978
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP
Of course! But -- Netbios broadcasts are not going to cross the VPN, so you need a different method of resolving.
LHMOSTS is one way, WINS is the other way.
If everyone is on XP with Windows 2000 Active Directory, then DNS would take care of it
How Browsing a Wide Area Network Works:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q117633&
Problems seeing workgroups when connected to a router:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315978
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP
ASKER
I'm curious about your everyone on XP statement.
What I have is a domain at my local site and a domain at the remote site. I want to join a computer in my local site to the domain in the remote site. Computers on both ends are running XP and Server 2003 AD in the back. Are you saying I can do this without LMHOSTS or WINS? I've actually tried to join the remote domain using their domain DNS name and it says it can't find a domain controller.
What I have is a domain at my local site and a domain at the remote site. I want to join a computer in my local site to the domain in the remote site. Computers on both ends are running XP and Server 2003 AD in the back. Are you saying I can do this without LMHOSTS or WINS? I've actually tried to join the remote domain using their domain DNS name and it says it can't find a domain controller.
>I want to join a computer in my local site to the domain in the remote site.
Use the link above to create a LMHOSTS file for Domain Validation.
Unless the two domains share DNS like children in a forest, then you won't be able to join the remote domain.
As long as you have complete IP connectivity, we need to close out this Q and start a new thread for domain validation/name resolution accross a VPN tunnel. This helps keep the database clean with single problem/solution sets, and also the rule to not 'camp on' additional questions on top of the original.
Thanks!
Use the link above to create a LMHOSTS file for Domain Validation.
Unless the two domains share DNS like children in a forest, then you won't be able to join the remote domain.
As long as you have complete IP connectivity, we need to close out this Q and start a new thread for domain validation/name resolution accross a VPN tunnel. This helps keep the database clean with single problem/solution sets, and also the rule to not 'camp on' additional questions on top of the original.
Thanks!
ASKER
I actually got it to join the domain through DNS monkeying so I'll go ahead and close this out and it looks like I solved my other problem. Thanks for all the help!!
Awesome! Glad you're up and running!
Hope to see you back around with some more questions, or even answering some!
Hope to see you back around with some more questions, or even answering some!
You can post your PIX config if you want...
Can you also post a link to the document for the configurations?