?
Solved

PIX 506e to SonicWall 4060 Site to Site VPN

Posted on 2005-05-13
25
Medium Priority
?
620 Views
Last Modified: 2013-11-16
I'm trying to create a site-to-site VPN tunnel between my PIX 506e and a remote SonicWall 4060.  I've run through Cisco's VPN wizard and it appears to successfully be talking to the SonicWall but no traffic can flow between them.  I say it appears to be working because I start seeing IKE tunnels show up when I look in the PDM (web interface), but the tunnels continue to be created and no traffic comes through.  At one point I had 600+ IKE tunnels sitting in a QM_IDLE state but no traffic flowing.

We've contacted SonicWall and they say the SonicWall is configured correctly, but they can't support 3rd party products.  They pointed me to a document that explains how to have a PIX talk to a SonicWall, but no luck with that.

Any ideas?  Let me know if you need to see the PIX configuration if that helps.

Thanks
0
Comment
Question by:promap
  • 13
  • 12
25 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 14002243
Do you have PFS enabled on the Sonicwall, and not on the PIX?
You can post your PIX config if you want...
Can you also post a link to the document for the configurations?
0
 

Author Comment

by:promap
ID: 14003200
PFS is not enabled on either end.  The SonicWall documentation is here: http://www.sonicwall.com/support/pdfs/vpn_interop/SonicWALL_VPN_with_Cisco_PIX_using_IKE_6_4_2.pdf

Using the Cisco VPN wizard generates all the commands that SonicWall is telling me to use.

Here's my PIX config:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name x.x.x.x x
object-group network web_servers
  description Servers and workstations that host HTTP content
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group network smtp_servers
  description Servers and workstations that process SMTP content
  network-object host x.x.x.x
object-group network vnc_servers
  description Servers and workstations that host VNC content
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group network rdp_servers
  description Servers and workstations that require RDP communication
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group network dns_servers
  description Servers and workstations that respond to DNS queries
  network-object host x.x.x.x
object-group network ping_responders
  description Servers and workstations that will respond to pings
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group network time_servers
  description Servers and workstations that need NTP data
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group icmp-type icmp_traffic
  description Types of ICMP traffic to permit
  icmp-object echo-reply
  icmp-object source-quench
  icmp-object unreachable
  icmp-object time-exceeded
  icmp-object information-reply
  icmp-object mask-reply
  icmp-object parameter-problem
  icmp-object timestamp-reply
object-group network https_servers
  description Servers and workstations that host HTTPS content
  network-object host x.x.x.x
object-group network web_servers_real
  description Servers and workstations that host HTTP content
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network https_servers_real
  description Servers and workstations that host HTTPS content
  network-object x.x.x.x 255.255.255.255
object-group network smtp_servers_real
  description Servers and workstations that process SMTP content
  network-object x.x.x.x 255.255.255.255
object-group network vnc_servers_real
  description Servers and workstations that host VNC content
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network rdp_servers_real
  description Servers and workstations that require RDP communication
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network dns_servers_real
  description Servers and workstations that respond to DNS queries
  network-object x.x.x.x 255.255.255.255
object-group network time_servers_real
  description Servers and workstations that need NTP data
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network ping_responders_real
  description Servers and workstations that will respond to pings
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network web_servers_real1
  description Servers and workstations that host HTTP content
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
access-list 100 permit tcp any object-group web_servers eq www
access-list 100 permit tcp any object-group https_servers eq https
access-list 100 permit tcp any object-group vnc_servers eq 5500
access-list 100 permit tcp any object-group rdp_servers eq 3389
access-list 100 permit udp any object-group dns_servers eq domain
access-list 100 permit icmp any any object-group icmp_traffic
access-list 100 permit icmp any object-group ping_responders echo
access-list 100 permit tcp any object-group smtp_servers eq smtp
access-list 100 permit tcp any object-group https_servers eq ftp
access-list 100 permit tcp any object-group https_servers eq ftp-data
access-list 100 permit udp any object-group time_servers eq ntp
access-list 100 permit tcp host x.x.x.x host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq 5151
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
access-list x_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside x.x.x.x
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside x.x.x.x 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool REMOTE x.x.x.x-x.x.x.x
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.192 outside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x 255.255.224.0 outside
pdm group web_servers_real inside
pdm group https_servers_real inside
pdm group smtp_servers_real inside
pdm group vnc_servers_real inside
pdm group rdp_servers_real inside
pdm group dns_servers_real inside
pdm group time_servers_real inside
pdm group ping_responders_real inside
pdm group https_servers outside reference https_servers_real
pdm group smtp_servers outside reference smtp_servers_real
pdm group rdp_servers outside reference rdp_servers_real
pdm group dns_servers outside reference dns_servers_real
pdm group time_servers outside reference time_servers_real
pdm group ping_responders outside reference ping_responders_real
pdm group web_servers_real1 inside
pdm group web_servers outside reference web_servers_real1
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128
global (outside) 1 x.x.x.x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http x.x.x.x 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact x
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
isakmp enable outside
isakmp nat-traversal 20
vpngroup x address-pool REMOTE
vpngroup x dns-server x.x.x.x x.x.x.x
vpngroup x default-domain x.com
vpngroup x split-tunnel x_splitTunnelAcl
vpngroup x idle-time 1800
vpngroup x password ********
telnet x.x.x.x 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1893d6251ad5b005dd3770d76c65012f
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14003354
Assuming that this line represents your internal LAN -> remote subnet behind the Sonicwall
>access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
All you need is the single line
  access-list inside_outbound_nat0_acl permit ip <local subnet> <mask> <remote subnet> <mask>

You do not need these two lines at all:
>access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
>access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192

You do not have a crypto map or isakmp at all.. Using the examples in the document, you need to add the following to the PIX:

access-list pixtosw permit ip <local subnet> <mask> <remote subnet> <mask>
crypto ipsec security-association lifetime seconds 28800
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer <public IP of Sonicwall>
crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
crypto map tosonicwall interface outside
isakmp key <secretkey> address <public IP of Sonicwall> netmask 255.255.255.255
isakmp identiy address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
isakmp enable outside

Once you have added those commands, you can check to see if the tunnel is up using
pix#sho cry is sa
Looking for QM_IDLE state with remote peer IP of the Sonicwall
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:promap
ID: 14010858
Seems to be connected, but right now it has 4 SAs with QM_IDLE state.  This is a lot better than before when it would open 700 connections, but I'm curious why it needs more than 1 SA.  

Also, I can't ping anything on the remote subnet.  Should I remove those access-list entries (inside_outbound_nat0_acl)?  I think those are from when I used the wizard in PDM to create a remote access VPN setup (for my laptop users).

Thanks
0
 

Author Comment

by:promap
ID: 14014406
Just an update, but I now have 80 SAs sitting in a QM_IDLE state.  Shouldn't there only be 1 between the sites?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14015295
>Shouldn't there only be 1 between the sites?
Yes. Only one

>Should I remove those access-list entries (inside_outbound_nat0_acl)?  
No. These are absolutely necessary.

I will assume that the PIX is your default gateway on the local LAN?
Can I also assume that the Sonicwall is the default gateway on the remote side?
Can you post result of
sho cry ip sa, at least the first part that identifies local/remote networks and counters for encap/decaps/errors

0
 

Author Comment

by:promap
ID: 14015595
Doesn't the pixtosw access-list take care of everything necessary for this tunnel?

PIX is default gateway at local site and Sonicwall is default gateway at remote side.

Here's the counters:

Details for 192.168.10.0/255.255.255.0/0/0 TSC-INDY/255.255.224.0/0/0 at Mon May 16 20:56:53 CDT 2005

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (TSC-INDY/255.255.224.0/0/0)
   current_peer: 207.250.51.66:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 31405, #pkts decrypt: 31405, #pkts verify 31405
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
     local crypto endpt.: 216.81.173.123, remote crypto endpt.: 207.250.51.66
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: ac4f053e
     inbound esp sas:
      spi: 0xc3463404(3276157956)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: tosonicwall
        sa timing: remaining key lifetime (k/sec): (4607996/28712)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xac4f053e(2890859838)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: tosonicwall
        sa timing: remaining key lifetime (k/sec): (4608000/28727)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14015631
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
 >   #pkts decaps: 31405, #pkts decrypt: 31405, #pkts verify 31405
Lots of decaps, no encaps.

Can you post your new PIX config? Do you still have this?
  nat (inside) 0 access-list inside_outbound_nat0_acl
0
 

Author Comment

by:promap
ID: 14015846
Here's the current config:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pix
domain-name x.com
clock timezone CST -6
clock summer-time CST recurring 2 Sat Apr 2:00 last Sat Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name x.x.x.x x
object-group network web_servers
  description Servers and workstations that host HTTP content
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group network smtp_servers
  description Servers and workstations that process SMTP content
  network-object host x.x.x.x
object-group network vnc_servers
  description Servers and workstations that host VNC content
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group network rdp_servers
  description Servers and workstations that require RDP communication
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group network dns_servers
  description Servers and workstations that respond to DNS queries
  network-object host x.x.x.x
object-group network ping_responders
  description Servers and workstations that will respond to pings
  network-object host x.x.x.x
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group network time_servers
  description Servers and workstations that need NTP data
  network-object host x.x.x.x
  network-object host x.x.x.x
object-group icmp-type icmp_traffic
  description Types of ICMP traffic to permit
  icmp-object echo-reply
  icmp-object source-quench
  icmp-object unreachable
  icmp-object time-exceeded
  icmp-object information-reply
  icmp-object mask-reply
  icmp-object parameter-problem
  icmp-object timestamp-reply
object-group network https_servers
  description Servers and workstations that host HTTPS content
  network-object host x.x.x.x
object-group network web_servers_real
  description Servers and workstations that host HTTP content
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network https_servers_real
  description Servers and workstations that host HTTPS content
  network-object x.x.x.x 255.255.255.255
object-group network smtp_servers_real
  description Servers and workstations that process SMTP content
  network-object x.x.x.x 255.255.255.255
object-group network vnc_servers_real
  description Servers and workstations that host VNC content
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network rdp_servers_real
  description Servers and workstations that require RDP communication
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network dns_servers_real
  description Servers and workstations that respond to DNS queries
  network-object x.x.x.x 255.255.255.255
object-group network time_servers_real
  description Servers and workstations that need NTP data
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network ping_responders_real
  description Servers and workstations that will respond to pings
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
object-group network web_servers_real1
  description Servers and workstations that host HTTP content
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
  network-object x.x.x.x 255.255.255.255
access-list 100 permit tcp any object-group web_servers eq www
access-list 100 permit tcp any object-group https_servers eq https
access-list 100 permit tcp any object-group vnc_servers eq 5500
access-list 100 permit tcp any object-group rdp_servers eq 3389
access-list 100 permit udp any object-group dns_servers eq domain
access-list 100 permit icmp any any object-group icmp_traffic
access-list 100 permit icmp any object-group ping_responders echo
access-list 100 permit tcp any object-group smtp_servers eq smtp
access-list 100 permit tcp any object-group https_servers eq ftp
access-list 100 permit tcp any object-group https_servers eq ftp-data
access-list 100 permit udp any object-group time_servers eq ntp
access-list 100 permit tcp host x.x.x.x host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq 5151
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192
access-list x_splitTunnelAcl permit ip x.x.x.x 255.255.255.0 any
access-list pixtosw permit ip x.x.x.x 255.255.255.255 x 255.255.255.255
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside x.x.x.x
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside x.x.x.x 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name checkInfo info action alarm
ip audit name checkAttack attack action alarm
ip audit interface outside checkInfo
ip audit interface outside checkAttack
ip audit info action alarm
ip audit attack action alarm
ip local pool REMOTE x.x.x.x-x.x.x.x
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.192 outside
pdm location x.x.x.x 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x 255.255.224.0 outside
pdm group web_servers_real inside
pdm group https_servers_real inside
pdm group smtp_servers_real inside
pdm group vnc_servers_real inside
pdm group rdp_servers_real inside
pdm group dns_servers_real inside
pdm group time_servers_real inside
pdm group ping_responders_real inside
pdm group https_servers outside reference https_servers_real
pdm group smtp_servers outside reference smtp_servers_real
pdm group rdp_servers outside reference rdp_servers_real
pdm group dns_servers outside reference dns_servers_real
pdm group time_servers outside reference time_servers_real
pdm group ping_responders outside reference ping_responders_real
pdm group web_servers_real1 inside
pdm group web_servers outside reference web_servers_real1
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128
global (outside) 1 x.x.x.x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside prefer
http server enable
http x.x.x.x 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact x
snmp-server community x
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer x.x.x.x
crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup x address-pool REMOTE
vpngroup x dns-server x.x.x.x x.x.x.x
vpngroup x default-domain x.com
vpngroup x split-tunnel x_splitTunnelAcl
vpngroup x idle-time 1800
vpngroup x password ********
telnet x.x.x.x 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:1893d6251ad5b005dd3770d76c65012f
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14017448
Since you insist on masking out all of the ips' both public and private, you are making this difficult.
Private IP's are Private IP's and are not reachable. If you accidently post something that you think should be masked, I can edit it out for you.

Check the subnet masks on this line. I'd bet that they should be 255.255.255.0 and 255.255.224.0, respectively

> access-list pixtosw permit ip x.x.x.x 255.255.255.255 x 255.255.255.255

should be
 access-list pixtosw permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0

To match what you have posted here:
>  local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
>   remote ident (addr/mask/prot/port): (TSC-INDY/255.255.224.0/0/0)

You have to make sure that the mask for TSC-INDY, 255.255.224.0 does not encompas your local LAN subnet

0
 

Author Comment

by:promap
ID: 14018268
Sorry if I'm making it difficult.  I'm not sure how much information to give out without compromising any kind of security.  I tend to err on the side of paranoia before all else.

The actual access-list statement is:
access-list pixtosw permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0

If I did the numbers right, 192.168.32.0 /19 should not encompass my local LAN (192.168.10.0 /24).  Right?
0
 

Author Comment

by:promap
ID: 14018575
This might be a stupid question but looking back on this...don't I need to use an access-group command to actually apply the pixtosw access-list to an interface?   If so, how do I do that?  I'm reading in my PIX book that you can only have one ACL applied to an interface....if I change the ACL name to 100 instead of pixtosw would this all start working?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14019328
>don't I need to use an access-group command to actually apply the pixtosw access-list to an interface?
No. The single command  "sysopt connection permit-ipsec"
negates the need for access-lists applied to interfaces

How about saving the config with what you have, and reboot the darn thing? Power it off completely, let it sit for 2 full minutes and power it back up...

If TSC-INDY = 192.168.32.0 / 19 you should be OK.
0
 

Author Comment

by:promap
ID: 14022998
Okay, I just powered it back up after a 2 minute off time.  Still can't get through to the remote site.  Any other ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14023018
access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside x.x.x.x 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any x.x.x.x 255.255.255.192

Do any of the above look like
  access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 TSC-INDY 255.255.224.0

0
 

Author Comment

by:promap
ID: 14023512
Those 3 lines are:

access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.10.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.10.192 255.255.255.192

They are lines that the PDM generated when I had a remote VPN setup enabled.  Could I not replace all 3 of those with that single pixtosw access-list entry?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 14023550
Let's do this. I advise against using the same acl for two different processes..

no access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.32.0 255.255.224.0
nat (inside) 0 access-list inside_outbound_nat0_acl
0
 

Author Comment

by:promap
ID: 14023651
It worked!!!!  I'm able to successfully ping and connect to shares on the remote site!!!  

Was it the nat statement?  Because the ACL inside_outbound_nat0_acl is exactly the same as ACL pixtosw.

If it is I'm going to change it so it's a nat statement against pixtosw because that name is a little bit more descriptive.  

I'm going to try it for a couple of days and if all goes well the points are yours.

Thanks!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14023880
Obviously, it was the nat statement.
Yes, the nat_0_acl is exactly the same as the pixtosw
I still advise changing it to use pixtosw. Two different processes using the same acl, and any future growth to a new VPN or vpn clients will be hazardous. Please leave it as is for now.

Wooo hoooo!!!
Glad you're working!
0
 

Author Comment

by:promap
ID: 14028114
Well IP traffic gets across okay.  What if I wanted to connect to a server on the remote side?  I can map a drive by IP address, but not by NetBIOS name.  Is it possible to connect to NetBIOS shares on the remote site?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14028208
>Is it possible to connect to NetBIOS shares on the remote site?
Of course! But -- Netbios broadcasts are not going to cross the VPN, so you need a different method of resolving.
LHMOSTS is one way, WINS is the other way.
If everyone is on XP with Windows 2000 Active Directory, then DNS would take care of it

How Browsing a Wide Area Network Works:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q117633&

Problems seeing workgroups when connected to a router:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315978

How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP 
0
 

Author Comment

by:promap
ID: 14030433
I'm curious about your everyone on XP statement.

What I have is a domain at my local site and a domain at the remote site.  I want to join a computer in my local site to the domain in the remote site.  Computers on both ends are running XP and Server 2003 AD in the back.  Are you saying I can do this without LMHOSTS or WINS?  I've actually tried to join the remote domain using their domain DNS name and it says it can't find a domain controller.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14031555
>I want to join a computer in my local site to the domain in the remote site.
Use the link above to create a LMHOSTS file for Domain Validation.

Unless the two domains share DNS like children in a forest, then you won't be able to join the remote domain.

As long as you have complete IP connectivity, we need to close out this Q and start a new thread for domain validation/name resolution accross a VPN tunnel. This helps keep the database clean with single problem/solution sets, and also the rule to not 'camp on' additional questions on top of the original.

Thanks!


0
 

Author Comment

by:promap
ID: 14031660
I actually got it to join the domain through DNS monkeying so I'll go ahead and close this out and it looks like I solved my other problem.  Thanks for all the help!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14031674
Awesome! Glad you're up and running!

Hope to see you back around with some more questions, or even answering some!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question