Solved

Allow Sonicwall VPN client out through a Cisco Pix Firewall.

Posted on 2008-06-23
18
1,452 Views
Last Modified: 2010-04-21
I am a network admin at a company and I have a Sonicwall Firewall setup for the company. I use Sonicwall VPN client to connect to work from home. I have a Cisco Pix 501 setup at home and the pix will not allow me to establish a VPN connect to my company's Sonicwall Firewall. I can establish a connection no problems once I remove my PIX. I do understand that people believe that the PIX is over kill for home use, but I am a network GURU and I love my toys as many of you do too. So if possible can someone help me with configuring my PIX to allow this VPN connection to my work.  I am currently working on my CCNA so I have some experience with Cisco CLI but I struggle with setting up ACLs, PATs and NATs. I am learning so I will probably need step by step intructions. thanks
0
Comment
Question by:alg205
  • 13
  • 5
18 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 21867633
never dealt with sonicwall vpn.  Is it ipsec?  Just need to know how that's configured and how it connects (nat-t, ipsec, esp, ah, l2tp, etc.?)
then post your current sanitized pix config
0
 

Author Comment

by:alg205
ID: 21868456
I honestly do not know what Sonicwall uses. I did however see that L2TP was not enabled. I usually only setup Cisco equipment but Sonicwall was here when I started. I will get you my Pic config when I get home.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 21869126
ok, that will help a little.  beyond that, the only thing I can think of is that either 1) an acl is applied to the inside interface (the interface the user resides) that either explicitly blocks or doesn't explicitly allow the correct ports/protocols or 2) NAT-T isn't used and the pix isn't configured to permit the correct protocol thru.
0
 

Author Comment

by:alg205
ID: 21869215
I was thinking it has something to do with ACLs but I dont know what ports to allow. When I submit my Pix config I will also try to find what ports to allow then you can help me with that.
0
 

Author Comment

by:alg205
ID: 21870414
I cleared my Pix config and tried that and still the same problem. Here is my Pix config.

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:c44438734d7387603bf330d9b91cc51f
: end
[OK]


I appreciate your help. Let me know if you need any more info.
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 500 total points
ID: 21870484
ok create an acl that we'll use for a capture.  
access-list capture ip host interface outside host <<ip of sonicwall>>
access-list capture ip host <<ip of sonicwall>> host interface outside

now create a capture using that acl on the outside interface and see what it gives.  in this we're just looking for what ports are being used.

next, which is more difficult if you don't have a way of setting up a syslog server.  we need logging to either level 3 or 4 (can't remember which; but the level at which deny's are logged; I always have mine set to 4)  here we want to see any denies involving the ip of the sonicwall.  its easier with a syslog server as the buffer can possibly get filled up too quickly and then we'll miss what we want.
0
 

Author Comment

by:alg205
ID: 21871446
I tried to add that via telnet and I got this.......

pixfirewall(config)# access-list capture ip host interface outside host 207.59$
ERROR:<ip> not a valid permission
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
pixfirewall(config)#


looks like a syntax error I have tried to figure it out. maybe you can.

Jon
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 21871686
doh, i always forget the permit :)
access-list capture permit ip host interface outside host 207...

that will get it working
0
 

Author Comment

by:alg205
ID: 21892636
I can not get any of those cammand to work. I am still getting syntax errors.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:alg205
ID: 21892839
I  think I figured out how to capture below is what I came up with.


20:17:04.177725 arp who-has 72.23.97.58 tell 72.23.97.1
20:17:05.010192 arp who-has 24.154.155.125 tell 24.154.155.1
20:17:05.091654 arp who-has 24.154.62.205 tell 24.154.62.1
20:17:07.118768 arp who-has 10.45.180.158 tell 10.45.176.1
20:17:07.609785 arp who-has 72.23.97.175 tell 72.23.97.1
20:17:07.814014 arp who-has 24.154.155.25 tell 24.154.155.1
20:17:09.900740 arp who-has 72.23.221.220 tell 72.23.221.1
20:17:10.625166 arp who-has 72.23.97.134 tell 72.23.97.1
20:17:10.884750 arp who-has 24.154.155.68 tell 24.154.155.1
20:17:10.889724 arp who-has 72.23.97.129 tell 72.23.97.1
20:17:11.043729 arp who-has 24.154.62.111 tell 24.154.62.1
20:17:11.316908 arp who-has 72.23.97.77 tell 72.23.97.1
20:17:11.381984 arp who-has 72.23.97.212 tell 72.23.97.1
20:17:12.780385 arp who-has 72.23.97.75 tell 72.23.97.1
20:17:13.200383 24.154.215.xx.1 > 207.59.xx.xxx.500:  udp 1392
20:17:13.257417 arp who-has 72.23.221.38 tell 72.23.221.1
20:17:13.930753 arp who-has 24.154.155.109 tell 24.154.155.1
20:17:14.606795 arp who-has 24.154.215.xx tell 24.154.215.1
20:17:14.621473 arp who-has 24.154.62.241 tell 24.154.62.1
20:17:15.777074 arp who-has 72.23.221.127 tell 72.23.221.1
20:17:16.619215 24.154.215.xx.1 > 207.59.xx.xxx.500:  udp 1392
20:17:20.654171 arp who-has 72.23.97.61 tell 72.23.97.1
20:17:20.657162 arp who-has 24.154.62.45 tell 24.154.62.1


I have tried to open port 1392 not sure if I did it right.

here is my current pix config.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_vpn_nat permit ip 192.168.1.0 255.255.255.0 host 207.59.xx.xxx
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any eq 1392 interface outside eq 1392
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 24.154.215.xx 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.154.215.0 1392 192.168.1.0 1392 netmask 255.255.2
55.0 0 0
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:7e289b645593c5565f2e40b62eb3c2c8
0
 

Author Comment

by:alg205
ID: 21892981
OK here is the update.

I figured out what ports to open and I can login to my vpn now but it doesnt assign an IP address to my virtual adapter so my connection is still useless. Is there something else I need to open?
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 500 total points
ID: 21893487
that's really odd that you had to allow ports like that.  by default higher security interfaces are allowed to go to lower security interfaces without exception.  anyway, now its the sonicwall as that is the device that issues out the ip for the vpn connection.  And since I've never dealt with those I really can't help there.  Since it works from home though, I'm wondering about how the sonicwall is configured.  I know in a pix you have to all nat traversal before it uses UDP/TCP encapsulation of protocol 50 or 51 instead of just the protocol.  At home is your computer connected directly to the internet or to a nat device.
0
 

Author Comment

by:alg205
ID: 21898174
At home my setup is  Computer-->Cisco Pix-->Cable Modem. That's it.
0
 

Author Comment

by:alg205
ID: 21898189
oh one more thing I opened udp 500 to get the sonicwall to let me login. still cant get an ip address from sonicwall. Sonicwall does the DHCP and I can get an ip address when I bypass the Cisco Pix at home.
0
 

Author Comment

by:alg205
ID: 21898241
I really appreciate your help I will look at the settings on my Sonicwall here at work and see how it's setup and I will let you know. Even if you and I cant get this completely resolved you will still get some points because yopu did get me this far.
0
 

Author Comment

by:alg205
ID: 21898276
Ok I checked the Sonicwall config and NAT-T was not enabled I enabled it and I will give it a shot. I read about NAT-T and it definetly looks like the problem. I will post again tonight.
0
 

Author Comment

by:alg205
ID: 21903561
After opening Ports udp 500 and 4500, I was able to login to the vpn. I also allowed ports 50 and 51 not sure what that did. Once I enabled NAT-T on the Sonicwall Client, it assigned an IP address. I am up and running. Thanks for your help I am awarding you the 500 points.
0
 

Author Closing Comment

by:alg205
ID: 31469897
I am up and running. Thanks again for your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 20
SSH logs Cisco switch 4 29
Cisco ASA 5506 4 39
Cisco Route Tagging Problem 12 42
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now