Allow Sonicwall VPN client out through a Cisco Pix Firewall.
I am a network admin at a company and I have a Sonicwall Firewall setup for the company. I use Sonicwall VPN client to connect to work from home. I have a Cisco Pix 501 setup at home and the pix will not allow me to establish a VPN connect to my company's Sonicwall Firewall. I can establish a connection no problems once I remove my PIX. I do understand that people believe that the PIX is over kill for home use, but I am a network GURU and I love my toys as many of you do too. So if possible can someone help me with configuring my PIX to allow this VPN connection to my work. I am currently working on my CCNA so I have some experience with Cisco CLI but I struggle with setting up ACLs, PATs and NATs. I am learning so I will probably need step by step intructions. thanks
ASKER
I honestly do not know what Sonicwall uses. I did however see that L2TP was not enabled. I usually only setup Cisco equipment but Sonicwall was here when I started. I will get you my Pic config when I get home.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was thinking it has something to do with ACLs but I dont know what ports to allow. When I submit my Pix config I will also try to find what ports to allow then you can help me with that.
ASKER
I cleared my Pix config and tried that and still the same problem. Here is my Pix config.
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:c44438734d7
: end
[OK]
I appreciate your help. Let me know if you need any more info.
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:c44438734d7
: end
[OK]
I appreciate your help. Let me know if you need any more info.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried to add that via telnet and I got this.......
pixfirewall(config)# access-list capture ip host interface outside host 207.59$
ERROR:<ip> not a valid permission
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
pixfirewall(config)#
looks like a syntax error I have tried to figure it out. maybe you can.
Jon
pixfirewall(config)# access-list capture ip host interface outside host 207.59$
ERROR:<ip> not a valid permission
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
pixfirewall(config)#
looks like a syntax error I have tried to figure it out. maybe you can.
Jon
doh, i always forget the permit :)
access-list capture permit ip host interface outside host 207...
that will get it working
access-list capture permit ip host interface outside host 207...
that will get it working
ASKER
I can not get any of those cammand to work. I am still getting syntax errors.
ASKER
I think I figured out how to capture below is what I came up with.
20:17:04.177725 arp who-has 72.23.97.58 tell 72.23.97.1
20:17:05.010192 arp who-has 24.154.155.125 tell 24.154.155.1
20:17:05.091654 arp who-has 24.154.62.205 tell 24.154.62.1
20:17:07.118768 arp who-has 10.45.180.158 tell 10.45.176.1
20:17:07.609785 arp who-has 72.23.97.175 tell 72.23.97.1
20:17:07.814014 arp who-has 24.154.155.25 tell 24.154.155.1
20:17:09.900740 arp who-has 72.23.221.220 tell 72.23.221.1
20:17:10.625166 arp who-has 72.23.97.134 tell 72.23.97.1
20:17:10.884750 arp who-has 24.154.155.68 tell 24.154.155.1
20:17:10.889724 arp who-has 72.23.97.129 tell 72.23.97.1
20:17:11.043729 arp who-has 24.154.62.111 tell 24.154.62.1
20:17:11.316908 arp who-has 72.23.97.77 tell 72.23.97.1
20:17:11.381984 arp who-has 72.23.97.212 tell 72.23.97.1
20:17:12.780385 arp who-has 72.23.97.75 tell 72.23.97.1
20:17:13.200383 24.154.215.xx.1 > 207.59.xx.xxx.500: udp 1392
20:17:13.257417 arp who-has 72.23.221.38 tell 72.23.221.1
20:17:13.930753 arp who-has 24.154.155.109 tell 24.154.155.1
20:17:14.606795 arp who-has 24.154.215.xx tell 24.154.215.1
20:17:14.621473 arp who-has 24.154.62.241 tell 24.154.62.1
20:17:15.777074 arp who-has 72.23.221.127 tell 72.23.221.1
20:17:16.619215 24.154.215.xx.1 > 207.59.xx.xxx.500: udp 1392
20:17:20.654171 arp who-has 72.23.97.61 tell 72.23.97.1
20:17:20.657162 arp who-has 24.154.62.45 tell 24.154.62.1
I have tried to open port 1392 not sure if I did it right.
here is my current pix config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_vpn_nat permit ip 192.168.1.0 255.255.255.0 host 207.59.xx.xxx
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any eq 1392 interface outside eq 1392
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 24.154.215.xx 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.154.215.0 1392 192.168.1.0 1392 netmask 255.255.2
55.0 0 0
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:7e289b64559
20:17:04.177725 arp who-has 72.23.97.58 tell 72.23.97.1
20:17:05.010192 arp who-has 24.154.155.125 tell 24.154.155.1
20:17:05.091654 arp who-has 24.154.62.205 tell 24.154.62.1
20:17:07.118768 arp who-has 10.45.180.158 tell 10.45.176.1
20:17:07.609785 arp who-has 72.23.97.175 tell 72.23.97.1
20:17:07.814014 arp who-has 24.154.155.25 tell 24.154.155.1
20:17:09.900740 arp who-has 72.23.221.220 tell 72.23.221.1
20:17:10.625166 arp who-has 72.23.97.134 tell 72.23.97.1
20:17:10.884750 arp who-has 24.154.155.68 tell 24.154.155.1
20:17:10.889724 arp who-has 72.23.97.129 tell 72.23.97.1
20:17:11.043729 arp who-has 24.154.62.111 tell 24.154.62.1
20:17:11.316908 arp who-has 72.23.97.77 tell 72.23.97.1
20:17:11.381984 arp who-has 72.23.97.212 tell 72.23.97.1
20:17:12.780385 arp who-has 72.23.97.75 tell 72.23.97.1
20:17:13.200383 24.154.215.xx.1 > 207.59.xx.xxx.500: udp 1392
20:17:13.257417 arp who-has 72.23.221.38 tell 72.23.221.1
20:17:13.930753 arp who-has 24.154.155.109 tell 24.154.155.1
20:17:14.606795 arp who-has 24.154.215.xx tell 24.154.215.1
20:17:14.621473 arp who-has 24.154.62.241 tell 24.154.62.1
20:17:15.777074 arp who-has 72.23.221.127 tell 72.23.221.1
20:17:16.619215 24.154.215.xx.1 > 207.59.xx.xxx.500: udp 1392
20:17:20.654171 arp who-has 72.23.97.61 tell 72.23.97.1
20:17:20.657162 arp who-has 24.154.62.45 tell 24.154.62.1
I have tried to open port 1392 not sure if I did it right.
here is my current pix config.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_vpn_nat permit ip 192.168.1.0 255.255.255.0 host 207.59.xx.xxx
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any eq 1392 interface outside eq 1392
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 24.154.215.xx 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.154.215.0 1392 192.168.1.0 1392 netmask 255.255.2
55.0 0 0
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:7e289b64559
ASKER
OK here is the update.
I figured out what ports to open and I can login to my vpn now but it doesnt assign an IP address to my virtual adapter so my connection is still useless. Is there something else I need to open?
I figured out what ports to open and I can login to my vpn now but it doesnt assign an IP address to my virtual adapter so my connection is still useless. Is there something else I need to open?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
At home my setup is Computer-->Cisco Pix-->Cable Modem. That's it.
ASKER
oh one more thing I opened udp 500 to get the sonicwall to let me login. still cant get an ip address from sonicwall. Sonicwall does the DHCP and I can get an ip address when I bypass the Cisco Pix at home.
ASKER
I really appreciate your help I will look at the settings on my Sonicwall here at work and see how it's setup and I will let you know. Even if you and I cant get this completely resolved you will still get some points because yopu did get me this far.
ASKER
Ok I checked the Sonicwall config and NAT-T was not enabled I enabled it and I will give it a shot. I read about NAT-T and it definetly looks like the problem. I will post again tonight.
ASKER
After opening Ports udp 500 and 4500, I was able to login to the vpn. I also allowed ports 50 and 51 not sure what that did. Once I enabled NAT-T on the Sonicwall Client, it assigned an IP address. I am up and running. Thanks for your help I am awarding you the 500 points.
ASKER
I am up and running. Thanks again for your help.
then post your current sanitized pix config