Cisco PIX to SonicWALL
I have created a site-to-site VPN following instructions found on the Cisco and SonicWALL websites to connect a Cisco PIX 515e to a SonicWALL TZ170. The tunnel is up, but I cannot pass traffic across the link. I can ping the public address of the SonicWALL from the Cisco and vice-versa. But, I cannot ping the private addresses of either side. Do I need to setup some static routing?
Site A - Cisco - private addresses 10.10.61.1-10.10.61.254
Site B - SonicWALL - private addresses 192.168.1.1-192.168.1.254
I have never done a Cisco to SonicWALL VPN. I have done many SonicWALL site-to-site VPN's and have not had to configure any routing.
Any help would be greatly appreciated. I need to get this running ASAP.
Thanks!
Site A - Cisco - private addresses 10.10.61.1-10.10.61.254
Site B - SonicWALL - private addresses 192.168.1.1-192.168.1.254
I have never done a Cisco to SonicWALL VPN. I have done many SonicWALL site-to-site VPN's and have not had to configure any routing.
Any help would be greatly appreciated. I need to get this running ASAP.
Thanks!
ASKER
I'm sorry, I wasn't more clear. I have tried to ping from client to client and cannot. I will be at the site tomorrow and I will post the results of the "show cry is sa" and "show cry ip sa". Thanks.
ASKER
Here is the info lmoore asked for:
# show cry is sa
dst src state pending created
63.145.xxx.xxx 71.165.xxx.xxx QM_IDLE 0 1
# show cry ip sa
interface: outside
Crypto map tag: tosonicwall, local addr. 63.145.xxx.xxx
local ident (addr/mask/prot/port): (10.10.61.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: 71.165.xxx.xxx:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 63.145.xxx.xxx, remote crypto endpt.: 71.165.xxx.xxx
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: ff5bb19a
inbound esp sas:
spi: 0xc5e486ce(3320088270)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: tosonicwall
sa timing: remaining key lifetime (k/sec): (4607999/2767)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xff5bb19a(4284199322)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: tosonicwall
sa timing: remaining key lifetime (k/sec): (4608000/2749)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
# show cry is sa
dst src state pending created
63.145.xxx.xxx 71.165.xxx.xxx QM_IDLE 0 1
# show cry ip sa
interface: outside
Crypto map tag: tosonicwall, local addr. 63.145.xxx.xxx
local ident (addr/mask/prot/port): (10.10.61.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: 71.165.xxx.xxx:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 63.145.xxx.xxx, remote crypto endpt.: 71.165.xxx.xxx
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: ff5bb19a
inbound esp sas:
spi: 0xc5e486ce(3320088270)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: tosonicwall
sa timing: remaining key lifetime (k/sec): (4607999/2767)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xff5bb19a(4284199322)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: tosonicwall
sa timing: remaining key lifetime (k/sec): (4608000/2749)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
>63.145.xxx.xxx 71.165.xxx.xxx QM_IDLE
QM_IDLE means tunnel is established, waiting to pass traffic
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 105, #pkts decrypt: 105, #pkts verify 1
Packets decrypted means they're coming from the other side. 0 encaps means you may have a routing issue internally.
Where do packets to 192.168.1.x get routed from a host? Is the PIX the default gateway?
These two lines validate your crypto match acl..
local ident (addr/mask/prot/port): (10.10.61.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
QM_IDLE means tunnel is established, waiting to pass traffic
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 105, #pkts decrypt: 105, #pkts verify 1
Packets decrypted means they're coming from the other side. 0 encaps means you may have a routing issue internally.
Where do packets to 192.168.1.x get routed from a host? Is the PIX the default gateway?
These two lines validate your crypto match acl..
local ident (addr/mask/prot/port): (10.10.61.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
ASKER
I have not set up any routing for this new vpn connection. I just followed some instructions on how to create a vpn between a Cisco PIX and a SonicWALL TZ170.
The PIX private address is 10.10.61.252. This is the default gateway address used for hosts and PC's at site A.
The SonicWALL private address is 192.168.1.1 and it is the default gateway for all PC's at site B.
The PIX private address is 10.10.61.252. This is the default gateway address used for hosts and PC's at site A.
The SonicWALL private address is 192.168.1.1 and it is the default gateway for all PC's at site B.
Do you have a nat_0 acl?
access-list nonat permit 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list nonat permit 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
ASKER
I have this:
access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list pixtosw
access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list pixtosw
can you post result of sho access-list
can you also post result of sho route
ASKER
Unfortunately, I am not onsite right now. I do have a printout of show configuration from earlier today and here are the access-list entries:
access-list inside_access_out permit tcp host 10.10.61.232 any eq smtp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq https
access-list inside_access_out permit tcp host 10.10.61.232 any eq pop3
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp-data
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq telnet
access-list inside_access_out permit tcp any any eq 3306
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq pop3
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ftp-data
access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_out permit tcp host 10.10.61.232 any eq smtp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq https
access-list inside_access_out permit tcp host 10.10.61.232 any eq pop3
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp-data
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq telnet
access-list inside_access_out permit tcp any any eq 3306
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq pop3
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ftp-data
access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
I'm looking for hitcounters on the 2 acls pixtosw and the crypto match acl.
Also looking to make sure that you don't have any other route to 192.168.1.0 that points someplace else.
Also can you verify that you have this command in the pix:
sysopt connection permit-ipsec
Else, if you want to post the complete config up on www.ee-stuff.com that might help..
Also looking to make sure that you don't have any other route to 192.168.1.0 that points someplace else.
Also can you verify that you have this command in the pix:
sysopt connection permit-ipsec
Else, if you want to post the complete config up on www.ee-stuff.com that might help..
ASKER
I only have a printout, so I would have to re-type everything! I will be onsite again tomorrow, though.
I do have the command sysopt connection permit-ipsec
I tried to login to www.ee-stuff.com and am getting an error there. Will keep trying.
I found a command that seems to tell me there is a potential problem:
route outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1
The x'ed out portion of this address is not the PIX address that I have been xxx'ing out in the previous posts.
It seems to tell me that all traffic out of the PIX is being routed to this other address???
I do have the command sysopt connection permit-ipsec
I tried to login to www.ee-stuff.com and am getting an error there. Will keep trying.
I found a command that seems to tell me there is a potential problem:
route outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1
The x'ed out portion of this address is not the PIX address that I have been xxx'ing out in the previous posts.
It seems to tell me that all traffic out of the PIX is being routed to this other address???
ASKER
Duh!!! That address would be the upstream default for the PIX!!!
But, is that causing a problem?
But, is that causing a problem?
ASKER
The site with the PIX also uses Websense to filter http, https, and ftp traffic, but I don't think it would be causing any problems.
Your inside-access-out acl does not look like it allows ICMP or any traffic to 192.168.1.0
try adding
access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
try adding
access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
ASKER
Ok. I added the acl and now I can ping from 10.10.61.0 network to 192.168.1.0 network. However, I cannot ping from 192.168.1.0 net to 10.10.61.0 net.
I added an acl like this hoping it would allow me to ping, but it still is not working.
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 10.10.61.0 255.255.255.0
any other ideas?
Thanks,
Jack
I added an acl like this hoping it would allow me to ping, but it still is not working.
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 10.10.61.0 255.255.255.0
any other ideas?
Thanks,
Jack
One-way ping? This is progress, no?
>I do have the command sysopt connection permit-ipsec
This bypasses all inbound acls, so nothing in the outside_access_in acl matters
Their end could be blocking icmp echo, but allowing echo-replies. Very commonly seen..
>I do have the command sysopt connection permit-ipsec
This bypasses all inbound acls, so nothing in the outside_access_in acl matters
Their end could be blocking icmp echo, but allowing echo-replies. Very commonly seen..
ASKER
Well, actually it seems that I can only ping one of the two pc's at site B (192.168.1.0 net) and I cannot ping any IP's at site A. I have tried making a telnet connection from 192.168.1.0 net to 10.10.61.1 and I do not connect.
How about posting a complete config. Perhaps there is something we're overlooking.
I can edit anything out that you don't want left up here.
I can edit anything out that you don't want left up here.
ASKER
Ok, here you go! Thanks!
# show configure
: Saved
: Written by enable_15 at 10:44:21.173 UTC Fri Nov 3 2006
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Firewall515E
domain-name paradise
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol rtsp 3306
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.10.61.232 webserver
name 10.10.61.245 Phone_Room_PC
name 192.168.1.0 UCPCenter
name XX.XX.227.81 UCPCenterTelnet
access-list inside_access_out permit tcp host 10.10.61.232 any eq smtp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq https
access-list inside_access_out permit tcp host 10.10.61.232 any eq pop3
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp-dat
a
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq telnet
access-list inside_access_out permit tcp any any eq 3306
access-list inside_access_out permit tcp host 10.10.61.30 any eq 3464
access-list inside_access_out permit tcp host 10.10.61.245 host 71.165.xxx.xxx
access-list inside_access_out permit tcp any any eq 32000
access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255
.255.255.0
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq pop3
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp host 71.165.xxx.xxx any
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 10.10.61.0 255
.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.10.61.20 255.255.255.252
access-list outside_cryptomap_dyn_20 permit ip any 10.10.61.20 255.255.255.252
access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging buffered debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.179.242 255.255.255.240
ip address inside 10.10.61.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip local pool VPNAddressPool 10.10.61.20-10.10.61.22
pdm location XX.XX.49.66 255.255.255.255 outside
pdm location 10.10.61.255 255.255.255.255 inside
pdm location 255.255.255.0 255.255.255.255 inside
pdm location 255.255.255.255 255.255.255.255 inside
pdm location 255.255.255.255 255.255.255.255 outside
pdm location 10.10.61.255 255.255.255.255 outside
pdm location 10.10.61.232 255.255.255.255 inside
pdm location 10.10.61.233 255.255.255.255 inside
pdm location 10.10.61.20 255.255.255.252 outside
pdm location 10.10.61.30 255.255.255.255 inside
pdm location XX.XX.29.0 255.255.255.192 outside
pdm location 10.10.61.245 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location XX.XX.227.0 255.255.255.0 outside
pdm location XX.XX.227.81 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list pixtosw
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 63.145.xxx.xxx 10.10.61.232 dns netmask 255.255.255.255
0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.10.61.232 timeout 5 protocol TCP ver
sion 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http XX.XX.49.66 255.255.255.255 outside
http 10.10.61.0 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact William Johnson
snmp-server community private
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set strongsha esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer XX.XX.227.81
crypto map tosonicwall 20 set transform-set strongsha
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address XX.XX.227.81 netmask 255.255.255.0
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet XX.XX.227.81 255.255.255.0 outside
telnet 10.10.61.0 255.255.255.0 inside
telnet timeout 5
ssh 200.9.xxx.xxx 255.255.255.255 outside
ssh timeout 60
console timeout 0
vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication mschap
vpdn group L2TP-VPDN-GROUP client configuration address local VPNAddressPool
vpdn group L2TP-VPDN-GROUP client configuration dns 10.10.61.230 10.10.61.232
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60
vpdn username admin password ********
vpdn enable outside
terminal width 80
Cryptochecksum:17a44de77e5
Firewall515E(config)#
# show configure
: Saved
: Written by enable_15 at 10:44:21.173 UTC Fri Nov 3 2006
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Firewall515E
domain-name paradise
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol rtsp 3306
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.10.61.232 webserver
name 10.10.61.245 Phone_Room_PC
name 192.168.1.0 UCPCenter
name XX.XX.227.81 UCPCenterTelnet
access-list inside_access_out permit tcp host 10.10.61.232 any eq smtp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq https
access-list inside_access_out permit tcp host 10.10.61.232 any eq pop3
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp-dat
a
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq telnet
access-list inside_access_out permit tcp any any eq 3306
access-list inside_access_out permit tcp host 10.10.61.30 any eq 3464
access-list inside_access_out permit tcp host 10.10.61.245 host 71.165.xxx.xxx
access-list inside_access_out permit tcp any any eq 32000
access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255
.255.255.0
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq pop3
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp host 71.165.xxx.xxx any
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 10.10.61.0 255
.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.10.61.20 255.255.255.252
access-list outside_cryptomap_dyn_20 permit ip any 10.10.61.20 255.255.255.252
access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging buffered debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.179.242 255.255.255.240
ip address inside 10.10.61.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip local pool VPNAddressPool 10.10.61.20-10.10.61.22
pdm location XX.XX.49.66 255.255.255.255 outside
pdm location 10.10.61.255 255.255.255.255 inside
pdm location 255.255.255.0 255.255.255.255 inside
pdm location 255.255.255.255 255.255.255.255 inside
pdm location 255.255.255.255 255.255.255.255 outside
pdm location 10.10.61.255 255.255.255.255 outside
pdm location 10.10.61.232 255.255.255.255 inside
pdm location 10.10.61.233 255.255.255.255 inside
pdm location 10.10.61.20 255.255.255.252 outside
pdm location 10.10.61.30 255.255.255.255 inside
pdm location XX.XX.29.0 255.255.255.192 outside
pdm location 10.10.61.245 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location XX.XX.227.0 255.255.255.0 outside
pdm location XX.XX.227.81 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list pixtosw
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 63.145.xxx.xxx 10.10.61.232 dns netmask 255.255.255.255
0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.10.61.232 timeout 5 protocol TCP ver
sion 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http XX.XX.49.66 255.255.255.255 outside
http 10.10.61.0 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact William Johnson
snmp-server community private
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set strongsha esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer XX.XX.227.81
crypto map tosonicwall 20 set transform-set strongsha
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address XX.XX.227.81 netmask 255.255.255.0
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet XX.XX.227.81 255.255.255.0 outside
telnet 10.10.61.0 255.255.255.0 inside
telnet timeout 5
ssh 200.9.xxx.xxx 255.255.255.255 outside
ssh timeout 60
console timeout 0
vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication mschap
vpdn group L2TP-VPDN-GROUP client configuration address local VPNAddressPool
vpdn group L2TP-VPDN-GROUP client configuration dns 10.10.61.230 10.10.61.232
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60
vpdn username admin password ********
vpdn enable outside
terminal width 80
Cryptochecksum:17a44de77e5
Firewall515E(config)#
ASKER
Here is the show route output
Firewall515E(config)# show route
outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1 OTHER static
inside 10.10.61.0 255.255.255.0 10.10.61.252 1 CONNECT static
outside 63.145.xxx.xxx 255.255.255.240 63.145.xxx.xxx 1 CONNECT static
Firewall515E(config)#
Firewall515E(config)# show route
outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1 OTHER static
inside 10.10.61.0 255.255.255.0 10.10.61.252 1 CONNECT static
outside 63.145.xxx.xxx 255.255.255.240 63.145.xxx.xxx 1 CONNECT static
Firewall515E(config)#
ASKER
Here is the show access-list output
Firewall515E(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list inside_access_out; 13 elements
access-list inside_access_out line 1 permit tcp host 10.10.61.232 any eq smtp (h
itcnt=18629)
access-list inside_access_out line 2 permit tcp 10.10.61.0 255.255.255.0 any eq
www (hitcnt=4290385)
access-list inside_access_out line 3 permit tcp 10.10.61.0 255.255.255.0 any eq
https (hitcnt=688658)
access-list inside_access_out line 4 permit tcp host 10.10.61.232 any eq pop3 (h
itcnt=0)
access-list inside_access_out line 5 permit tcp 10.10.61.0 255.255.255.0 any eq
ftp (hitcnt=163336)
access-list inside_access_out line 6 permit tcp 10.10.61.0 255.255.255.0 any eq
ftp-data (hitcnt=0)
access-list inside_access_out line 7 permit udp any any eq domain (hitcnt=891014
)
access-list inside_access_out line 8 permit tcp 10.10.61.0 255.255.255.0 any eq
telnet (hitcnt=66)
access-list inside_access_out line 9 permit tcp any any eq 3306 (hitcnt=37)
access-list inside_access_out line 10 permit tcp host 10.10.61.30 any eq 3464 (h
itcnt=719)
access-list inside_access_out line 11 permit tcp host 10.10.61.245 host XX.X.2
27.81 (hitcnt=0)
access-list inside_access_out line 12 permit tcp any any eq 32000 (hitcnt=54)
access-list inside_access_out line 13 permit ip 10.10.61.0 255.255.255.0 192.168
.1.0 255.255.255.0 (hitcnt=65)
access-list outside_access_in; 9 elements
access-list outside_access_in line 1 permit tcp any host XX.XX.179.243 eq smtp
(hitcnt=104731)
access-list outside_access_in line 2 permit tcp any any eq www (hitcnt=627)
access-list outside_access_in line 3 permit tcp any any eq https (hitcnt=27)
access-list outside_access_in line 4 permit tcp any host XX.XX.179.243 eq pop3
(hitcnt=58121)
access-list outside_access_in line 5 permit tcp any any eq ftp (hitcnt=81)
access-list outside_access_in line 6 permit tcp any any eq ftp-data (hitcnt=0)
access-list outside_access_in line 7 remark Remote access for PRISM Networks
access-list outside_access_in line 8 permit tcp XX.XX.29.0 255.255.255.192 any
(hitcnt=0)
access-list outside_access_in line 9 permit tcp host XX.XX.227.81 any (hitcnt=0
)
access-list outside_access_in line 10 permit ip 192.168.1.0 255.255.255.0 10.10.
61.0 255.255.255.0 (hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.10.61.20 255.255.25
5.252 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.61.20 255.255.25
5.252 (hitcnt=0)
access-list pixtosw; 1 elements
access-list pixtosw line 1 permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.25
5.255.0 (hitcnt=444)
Firewall515E(config)#
Please remove anything with public addresses from posting.
Thanks!
Firewall515E(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list inside_access_out; 13 elements
access-list inside_access_out line 1 permit tcp host 10.10.61.232 any eq smtp (h
itcnt=18629)
access-list inside_access_out line 2 permit tcp 10.10.61.0 255.255.255.0 any eq
www (hitcnt=4290385)
access-list inside_access_out line 3 permit tcp 10.10.61.0 255.255.255.0 any eq
https (hitcnt=688658)
access-list inside_access_out line 4 permit tcp host 10.10.61.232 any eq pop3 (h
itcnt=0)
access-list inside_access_out line 5 permit tcp 10.10.61.0 255.255.255.0 any eq
ftp (hitcnt=163336)
access-list inside_access_out line 6 permit tcp 10.10.61.0 255.255.255.0 any eq
ftp-data (hitcnt=0)
access-list inside_access_out line 7 permit udp any any eq domain (hitcnt=891014
)
access-list inside_access_out line 8 permit tcp 10.10.61.0 255.255.255.0 any eq
telnet (hitcnt=66)
access-list inside_access_out line 9 permit tcp any any eq 3306 (hitcnt=37)
access-list inside_access_out line 10 permit tcp host 10.10.61.30 any eq 3464 (h
itcnt=719)
access-list inside_access_out line 11 permit tcp host 10.10.61.245 host XX.X.2
27.81 (hitcnt=0)
access-list inside_access_out line 12 permit tcp any any eq 32000 (hitcnt=54)
access-list inside_access_out line 13 permit ip 10.10.61.0 255.255.255.0 192.168
.1.0 255.255.255.0 (hitcnt=65)
access-list outside_access_in; 9 elements
access-list outside_access_in line 1 permit tcp any host XX.XX.179.243 eq smtp
(hitcnt=104731)
access-list outside_access_in line 2 permit tcp any any eq www (hitcnt=627)
access-list outside_access_in line 3 permit tcp any any eq https (hitcnt=27)
access-list outside_access_in line 4 permit tcp any host XX.XX.179.243 eq pop3
(hitcnt=58121)
access-list outside_access_in line 5 permit tcp any any eq ftp (hitcnt=81)
access-list outside_access_in line 6 permit tcp any any eq ftp-data (hitcnt=0)
access-list outside_access_in line 7 remark Remote access for PRISM Networks
access-list outside_access_in line 8 permit tcp XX.XX.29.0 255.255.255.192 any
(hitcnt=0)
access-list outside_access_in line 9 permit tcp host XX.XX.227.81 any (hitcnt=0
)
access-list outside_access_in line 10 permit ip 192.168.1.0 255.255.255.0 10.10.
61.0 255.255.255.0 (hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.10.61.20 255.255.25
5.252 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.61.20 255.255.25
5.252 (hitcnt=0)
access-list pixtosw; 1 elements
access-list pixtosw line 1 permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.25
5.255.0 (hitcnt=444)
Firewall515E(config)#
Please remove anything with public addresses from posting.
Thanks!
All critical components on PIX are now present and accounted for:
>access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
>access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
>nat (inside) 0 access-list pixtosw
>sysopt connection permit-ipsec
>crypto map tosonicwall 20 match address pixtosw
>crypto map tosonicwall 20 set peer XX.XX.227.81
>crypto map tosonicwall 20 set transform-set strongsha
>crypto map tosonicwall interface outside
\\-- the following entry should have a host mask 255.255.255.255
>isakmp key ******** address XX.XX.227.81 netmask 255.255.255.0
All fingers now point to an issue on the SonicWall end...
Local network = 192.168.1.0 /24
Remote network 10.10.61.0/24
Remote peer = your public IP
DES / SHA / no PFS
Default route OK. No outbound rules to prevent traffic.
>access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
>access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
>nat (inside) 0 access-list pixtosw
>sysopt connection permit-ipsec
>crypto map tosonicwall 20 match address pixtosw
>crypto map tosonicwall 20 set peer XX.XX.227.81
>crypto map tosonicwall 20 set transform-set strongsha
>crypto map tosonicwall interface outside
\\-- the following entry should have a host mask 255.255.255.255
>isakmp key ******** address XX.XX.227.81 netmask 255.255.255.0
All fingers now point to an issue on the SonicWall end...
Local network = 192.168.1.0 /24
Remote network 10.10.61.0/24
Remote peer = your public IP
DES / SHA / no PFS
Default route OK. No outbound rules to prevent traffic.
ASKER
I have checked everything and I can't find the problem.
From the 10.10.61.0 net I can ping 192.168.1.1 and 192.168.1.3, but not 192.168.1.2!
From the 192.168.1.0 net I cannot ping any machines on the 10.10.61.0 net.
Any ideas?
From the 10.10.61.0 net I can ping 192.168.1.1 and 192.168.1.3, but not 192.168.1.2!
From the 192.168.1.0 net I cannot ping any machines on the 10.10.61.0 net.
Any ideas?
ASKER
I can connect to the mail server from the 192.168.1.0 net using 10.10.61.243 110. So, I think there must still be something on the PIX blocking access.
ASKER
Any ideas? Anyone?
Why are you so bent on it being a PIX issue and *not* a Sonicwall issue?
Unfortunately, I'm not a Sonicwall expert, but as a PIX expert, I simply cannot see anything on that end that could explain this anomoly.
Unfortunately, I'm not a Sonicwall expert, but as a PIX expert, I simply cannot see anything on that end that could explain this anomoly.
ASKER
Well, I'm not positive it is a PIX issue. I know that there is nothing blocking traffic on the SonicWALL. In fact, it may not be a problem with Cisco or SonicWALL.
Here is what I have found:
I can ping from 10.10.61.245 to 192.168.1.1 and 192.168.1.2, but not 192.168.1.3
I can ping from 192.168.1.1 to 10.10.61.245, 10.10.61.230, 10.10.61.231, many addresses on the 10.10.61.0 net. I can connect to the mail server using telnet at 10.10.61.232 110.
Unfortunately, I need to be able to make a telnet connection across the vpn from the 192.168.1.0 net to a server at 10.10.61.1. I cannot ping or connect to that server via telnet from the 192.168.1.0 net.
Here is what I have found:
I can ping from 10.10.61.245 to 192.168.1.1 and 192.168.1.2, but not 192.168.1.3
I can ping from 192.168.1.1 to 10.10.61.245, 10.10.61.230, 10.10.61.231, many addresses on the 10.10.61.0 net. I can connect to the mail server using telnet at 10.10.61.232 110.
Unfortunately, I need to be able to make a telnet connection across the vpn from the 192.168.1.0 net to a server at 10.10.61.1. I cannot ping or connect to that server via telnet from the 192.168.1.0 net.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was routing on the 10.10.61.1 host. Everything seems to be working correctly.
Thank you for sticking with me!!!!
Thank you for sticking with me!!!!
Wooo hooo! Glad it's finally working for you!
<8-}
<8-}
You should be able to ping from 10.10.6.x client to 192.168.1.x client
Can you post result of "show cry is sa" and show cry ip sa