Solved

Cisco PIX to SonicWALL

Posted on 2006-11-01
31
598 Views
Last Modified: 2013-11-16
I have created a site-to-site VPN following instructions found on the Cisco and SonicWALL websites to connect a Cisco PIX 515e to a SonicWALL TZ170.  The tunnel is up, but I cannot pass traffic across the link.  I can ping the public address of the SonicWALL from the Cisco and vice-versa.  But, I cannot ping the private addresses of either side.  Do I need to setup some static routing?

Site A - Cisco - private addresses 10.10.61.1-10.10.61.254
Site B - SonicWALL - private addresses 192.168.1.1-192.168.1.254

I have never done a Cisco to SonicWALL VPN.  I have done many SonicWALL site-to-site VPN's and have not had to configure any routing.

Any help would be greatly appreciated.  I need to get this running ASAP.

Thanks!
0
Comment
Question by:jmccolley
  • 18
  • 13
31 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17854632
You cannot ping the private interface of either end.
You should be able to ping from 10.10.6.x client to 192.168.1.x client
Can you post result of "show cry is sa" and show cry ip sa
0
 

Author Comment

by:jmccolley
ID: 17854788
I'm sorry, I wasn't more clear.  I have tried to ping from client to client and cannot.  I will be at the site tomorrow and I will post the results of the "show cry is sa" and "show cry ip sa".  Thanks.
0
 

Author Comment

by:jmccolley
ID: 17863296
Here is the info lmoore asked for:

# show cry is sa

dst                      src                    state        pending       created
63.145.xxx.xxx      71.165.xxx.xxx   QM_IDLE      0                  1
 
# show cry ip sa

interface: outside
    Crypto map tag: tosonicwall, local addr. 63.145.xxx.xxx

   local  ident (addr/mask/prot/port): (10.10.61.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 71.165.xxx.xxx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 105, #pkts decrypt: 105, #pkts verify 105
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 63.145.xxx.xxx, remote crypto endpt.: 71.165.xxx.xxx
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: ff5bb19a

     inbound esp sas:
      spi: 0xc5e486ce(3320088270)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: tosonicwall
        sa timing: remaining key lifetime (k/sec): (4607999/2767)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xff5bb19a(4284199322)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: tosonicwall
        sa timing: remaining key lifetime (k/sec): (4608000/2749)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17863480
>63.145.xxx.xxx      71.165.xxx.xxx   QM_IDLE  
QM_IDLE means tunnel is established, waiting to pass traffic

> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
>  #pkts decaps: 105, #pkts decrypt: 105, #pkts verify 1

Packets decrypted means they're coming from the other side. 0 encaps means you may have a routing issue internally.
Where do packets to 192.168.1.x get routed from a host? Is the PIX the default gateway?

These two lines validate your crypto match acl..
   local  ident (addr/mask/prot/port): (10.10.61.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

0
 

Author Comment

by:jmccolley
ID: 17864043
I have not set up any routing for this new vpn connection.  I just followed some instructions on how to create a vpn between a Cisco PIX and a SonicWALL TZ170.

The PIX private address is 10.10.61.252.  This is the default gateway address used for hosts and PC's at site A.

The SonicWALL private address is 192.168.1.1 and it is the default gateway for all PC's at site B.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17864061
Do you have a nat_0 acl?
access-list nonat permit 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
0
 

Author Comment

by:jmccolley
ID: 17864084
I have this:

access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list pixtosw
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17864106
can you post result of sho access-list
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17864138
can you also post result of sho route
0
 

Author Comment

by:jmccolley
ID: 17864166
Unfortunately, I am not onsite right now.  I do have a printout of show configuration from earlier today and here are the access-list entries:

access-list inside_access_out permit tcp host 10.10.61.232 any eq smtp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq https
access-list inside_access_out permit tcp host 10.10.61.232 any eq pop3
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp-data
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq telnet
access-list inside_access_out permit tcp any any eq 3306
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq pop3
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ftp-data
access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17864192
I'm looking for hitcounters on the 2 acls pixtosw and the crypto match acl.
Also looking to make sure that you don't have any other route to 192.168.1.0 that points someplace else.
Also can you verify that you have this command in the pix:
 sysopt connection permit-ipsec

Else, if you want to post the complete config up on www.ee-stuff.com that might help..

0
 

Author Comment

by:jmccolley
ID: 17864224
I only have a printout, so I would have to re-type everything!  I will be onsite again tomorrow, though.

I do have the command sysopt connection permit-ipsec

I tried to login to www.ee-stuff.com and am getting an error there.  Will keep trying.

I found a command that seems to tell me there is a potential problem:

route outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1

The x'ed out portion of this address is not the PIX address that I have been xxx'ing out in the previous posts.

It seems to tell me that all traffic out of the PIX is being routed to this other address???
0
 

Author Comment

by:jmccolley
ID: 17864232
Duh!!!  That address would be the upstream default for the PIX!!!

But, is that causing a problem?
0
 

Author Comment

by:jmccolley
ID: 17864252
The site with the PIX also uses Websense to filter http, https, and ftp traffic, but I don't think it would be causing any problems.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17865605
Your inside-access-out acl does not look like it allows ICMP or any traffic to 192.168.1.0
 try adding

access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:jmccolley
ID: 17869127
Ok.  I added the acl and now I can ping from 10.10.61.0 network to 192.168.1.0 network.  However, I cannot ping from 192.168.1.0 net to 10.10.61.0 net.
I added an acl like this hoping it would allow me to ping, but it still is not working.

access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 10.10.61.0 255.255.255.0

any other ideas?

Thanks,
Jack
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869170
One-way ping? This is progress, no?

>I do have the command sysopt connection permit-ipsec
This bypasses all inbound acls, so nothing in the outside_access_in acl matters

Their end could be blocking icmp echo, but allowing echo-replies. Very commonly seen..


0
 

Author Comment

by:jmccolley
ID: 17869235
Well, actually it seems that I can only ping one of the two pc's at site B (192.168.1.0 net) and I cannot ping any IP's at site A.  I have tried making a telnet connection from 192.168.1.0 net to 10.10.61.1 and I do not connect.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869307
How about posting a complete config. Perhaps there is something we're overlooking.
I can edit anything out that you don't want left up here.
0
 

Author Comment

by:jmccolley
ID: 17869477
Ok, here you go!  Thanks!

# show configure
: Saved
: Written by enable_15 at 10:44:21.173 UTC Fri Nov 3 2006
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Firewall515E
domain-name paradise
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol rtsp 3306
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.10.61.232 webserver
name 10.10.61.245 Phone_Room_PC
name 192.168.1.0 UCPCenter
name XX.XX.227.81 UCPCenterTelnet
access-list inside_access_out permit tcp host 10.10.61.232 any eq smtp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq www
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq https
access-list inside_access_out permit tcp host 10.10.61.232 any eq pop3
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq ftp-dat
a
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out permit tcp 10.10.61.0 255.255.255.0 any eq telnet
access-list inside_access_out permit tcp any any eq 3306
access-list inside_access_out permit tcp host 10.10.61.30 any eq 3464
access-list inside_access_out permit tcp host 10.10.61.245 host 71.165.xxx.xxx
access-list inside_access_out permit tcp any any eq 32000
access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255
.255.255.0
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any host 63.145.xxx.xxx eq pop3
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp host 71.165.xxx.xxx any
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 10.10.61.0 255
.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.10.61.20 255.255.255.252
access-list outside_cryptomap_dyn_20 permit ip any 10.10.61.20 255.255.255.252
access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24
logging buffered debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.179.242 255.255.255.240
ip address inside 10.10.61.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip local pool VPNAddressPool 10.10.61.20-10.10.61.22
pdm location XX.XX.49.66 255.255.255.255 outside
pdm location 10.10.61.255 255.255.255.255 inside
pdm location 255.255.255.0 255.255.255.255 inside
pdm location 255.255.255.255 255.255.255.255 inside
pdm location 255.255.255.255 255.255.255.255 outside
pdm location 10.10.61.255 255.255.255.255 outside
pdm location 10.10.61.232 255.255.255.255 inside
pdm location 10.10.61.233 255.255.255.255 inside
pdm location 10.10.61.20 255.255.255.252 outside
pdm location 10.10.61.30 255.255.255.255 inside
pdm location XX.XX.29.0 255.255.255.192 outside
pdm location 10.10.61.245 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location XX.XX.227.0 255.255.255.0 outside
pdm location XX.XX.227.81 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list pixtosw
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 63.145.xxx.xxx 10.10.61.232 dns netmask 255.255.255.255
0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.10.61.232 timeout 5 protocol TCP ver
sion 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http XX.XX.49.66 255.255.255.255 outside
http 10.10.61.0 255.255.255.0 inside
snmp-server location Server Room
snmp-server contact William Johnson
snmp-server community private
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set strongsha esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer XX.XX.227.81
crypto map tosonicwall 20 set transform-set strongsha
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address XX.XX.227.81 netmask 255.255.255.0
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet XX.XX.227.81 255.255.255.0 outside
telnet 10.10.61.0 255.255.255.0 inside
telnet timeout 5
ssh 200.9.xxx.xxx 255.255.255.255 outside
ssh timeout 60
console timeout 0
vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication mschap
vpdn group L2TP-VPDN-GROUP client configuration address local VPNAddressPool
vpdn group L2TP-VPDN-GROUP client configuration dns 10.10.61.230 10.10.61.232
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60
vpdn username admin password ********
vpdn enable outside
terminal width 80
Cryptochecksum:17a44de77e57f79b9bb3bfb844219930
Firewall515E(config)#
0
 

Author Comment

by:jmccolley
ID: 17869533
Here is the show route output

Firewall515E(config)# show route
        outside 0.0.0.0 0.0.0.0 63.145.xxx.xxx 1 OTHER static
        inside 10.10.61.0 255.255.255.0 10.10.61.252 1 CONNECT static
        outside 63.145.xxx.xxx 255.255.255.240 63.145.xxx.xxx 1 CONNECT static
Firewall515E(config)#
0
 

Author Comment

by:jmccolley
ID: 17869585
Here is the show access-list output

Firewall515E(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_access_out; 13 elements
access-list inside_access_out line 1 permit tcp host 10.10.61.232 any eq smtp (h
itcnt=18629)
access-list inside_access_out line 2 permit tcp 10.10.61.0 255.255.255.0 any eq
www (hitcnt=4290385)
access-list inside_access_out line 3 permit tcp 10.10.61.0 255.255.255.0 any eq
https (hitcnt=688658)
access-list inside_access_out line 4 permit tcp host 10.10.61.232 any eq pop3 (h
itcnt=0)
access-list inside_access_out line 5 permit tcp 10.10.61.0 255.255.255.0 any eq
ftp (hitcnt=163336)
access-list inside_access_out line 6 permit tcp 10.10.61.0 255.255.255.0 any eq
ftp-data (hitcnt=0)
access-list inside_access_out line 7 permit udp any any eq domain (hitcnt=891014
)
access-list inside_access_out line 8 permit tcp 10.10.61.0 255.255.255.0 any eq
telnet (hitcnt=66)
access-list inside_access_out line 9 permit tcp any any eq 3306 (hitcnt=37)
access-list inside_access_out line 10 permit tcp host 10.10.61.30 any eq 3464 (h
itcnt=719)
access-list inside_access_out line 11 permit tcp host 10.10.61.245 host XX.X.2
27.81 (hitcnt=0)
access-list inside_access_out line 12 permit tcp any any eq 32000 (hitcnt=54)
access-list inside_access_out line 13 permit ip 10.10.61.0 255.255.255.0 192.168
.1.0 255.255.255.0 (hitcnt=65)
access-list outside_access_in; 9 elements
access-list outside_access_in line 1 permit tcp any host XX.XX.179.243 eq smtp
(hitcnt=104731)
access-list outside_access_in line 2 permit tcp any any eq www (hitcnt=627)
access-list outside_access_in line 3 permit tcp any any eq https (hitcnt=27)
access-list outside_access_in line 4 permit tcp any host XX.XX.179.243 eq pop3
(hitcnt=58121)
access-list outside_access_in line 5 permit tcp any any eq ftp (hitcnt=81)
access-list outside_access_in line 6 permit tcp any any eq ftp-data (hitcnt=0)
access-list outside_access_in line 7 remark Remote access for PRISM Networks
access-list outside_access_in line 8 permit tcp XX.XX.29.0 255.255.255.192 any
(hitcnt=0)
access-list outside_access_in line 9 permit tcp host XX.XX.227.81 any (hitcnt=0
)
access-list outside_access_in line 10 permit ip 192.168.1.0 255.255.255.0 10.10.
61.0 255.255.255.0 (hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 10.10.61.20 255.255.25
5.252 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.61.20 255.255.25
5.252 (hitcnt=0)
access-list pixtosw; 1 elements
access-list pixtosw line 1 permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.25
5.255.0 (hitcnt=444)
Firewall515E(config)#

Please remove anything with public addresses from posting.

Thanks!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17869590
All critical components on PIX are now present and accounted for:

 >access-list inside_access_out permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
 >access-list pixtosw permit ip 10.10.61.0 255.255.255.0 192.168.1.0 255.255.255.0
 >nat (inside) 0 access-list pixtosw
 >sysopt connection permit-ipsec
 >crypto map tosonicwall 20 match address pixtosw
 >crypto map tosonicwall 20 set peer XX.XX.227.81
 >crypto map tosonicwall 20 set transform-set strongsha
 >crypto map tosonicwall interface outside

\\-- the following entry should have a host mask 255.255.255.255
>isakmp key ******** address XX.XX.227.81 netmask 255.255.255.0

All fingers now point to an issue on the SonicWall end...
Local network = 192.168.1.0 /24
Remote network 10.10.61.0/24
Remote peer = your public IP
DES / SHA / no PFS
Default route OK. No outbound rules to prevent traffic.


0
 

Author Comment

by:jmccolley
ID: 17885692
I have checked everything and I can't find the problem.

From the 10.10.61.0 net I can ping 192.168.1.1 and 192.168.1.3, but not 192.168.1.2!

From the 192.168.1.0 net I cannot ping any machines on the 10.10.61.0 net.

Any ideas?
0
 

Author Comment

by:jmccolley
ID: 17886527
I can connect to the mail server from the 192.168.1.0 net using 10.10.61.243 110.  So, I think there must still be something on the PIX blocking access.
0
 

Author Comment

by:jmccolley
ID: 17893998
Any ideas?  Anyone?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17894218
Why are you so bent on it being a PIX issue and *not* a Sonicwall issue?
Unfortunately, I'm not a Sonicwall expert, but as a PIX expert, I simply cannot see anything on that end that could explain this anomoly.
0
 

Author Comment

by:jmccolley
ID: 17894325
Well, I'm not positive it is a PIX issue.  I know that there is nothing blocking traffic on the SonicWALL.  In fact, it may not be a problem with Cisco or SonicWALL.

Here is what I have found:

I can ping from 10.10.61.245 to 192.168.1.1 and 192.168.1.2, but not 192.168.1.3

I can ping from 192.168.1.1 to 10.10.61.245, 10.10.61.230, 10.10.61.231, many addresses on the 10.10.61.0 net.  I can connect to the mail server using telnet at 10.10.61.232 110.

Unfortunately, I need to be able to make a telnet connection across the vpn from the 192.168.1.0 net to a server at 10.10.61.1.  I cannot ping or connect to that server via telnet from the 192.168.1.0 net.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17894350
>I can ping from 10.10.61.245 to 192.168.1.1 and 192.168.1.2, but not 192.168.1.3
That's good! Then the issue is definately something peculiar with the host 192.168.1.3
Is its default gateway set properly? Does this host have any type of firewall? Perhaps even Cisco VPN client?

>I can ping from 192.168.1.1 to 10.10.61.245, 10.10.61.230, 10.10.61.231, many addresses on the 10.10.61.0 net.
Combined with the above, then this is proof positive that you have 2-way communications between the two networks. Both the PIX and the Sonicwall appear to be working fine.

> I need to be able to make a telnet connection across the vpn from the 192.168.1.0 net to a server at 10.10.61.1.
Since you can access almost any system *except* this one host, I would look at that host. Check the default gateway, any static routes, and any firewalls/access rules.
0
 

Author Comment

by:jmccolley
ID: 17894715
It was routing on the 10.10.61.1 host.  Everything seems to be working correctly.
Thank you for sticking with me!!!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17894747
Wooo hooo! Glad it's finally working for you!

<8-}

0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now