Allow Sonicwall VPN client out through a Cisco Pix Firewall.

I am a network admin at a company and I have a Sonicwall Firewall setup for the company. I use Sonicwall VPN client to connect to work from home. I have a Cisco Pix 501 setup at home and the pix will not allow me to establish a VPN connect to my company's Sonicwall Firewall. I can establish a connection no problems once I remove my PIX. I do understand that people believe that the PIX is over kill for home use, but I am a network GURU and I love my toys as many of you do too. So if possible can someone help me with configuring my PIX to allow this VPN connection to my work.  I am currently working on my CCNA so I have some experience with Cisco CLI but I struggle with setting up ACLs, PATs and NATs. I am learning so I will probably need step by step intructions. thanks
alg205Asked:
Who is Participating?
 
Cyclops3590Connect With a Mentor Commented:
ok, that will help a little.  beyond that, the only thing I can think of is that either 1) an acl is applied to the inside interface (the interface the user resides) that either explicitly blocks or doesn't explicitly allow the correct ports/protocols or 2) NAT-T isn't used and the pix isn't configured to permit the correct protocol thru.
0
 
Cyclops3590Commented:
never dealt with sonicwall vpn.  Is it ipsec?  Just need to know how that's configured and how it connects (nat-t, ipsec, esp, ah, l2tp, etc.?)
then post your current sanitized pix config
0
 
alg205Author Commented:
I honestly do not know what Sonicwall uses. I did however see that L2TP was not enabled. I usually only setup Cisco equipment but Sonicwall was here when I started. I will get you my Pic config when I get home.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
alg205Author Commented:
I was thinking it has something to do with ACLs but I dont know what ports to allow. When I submit my Pix config I will also try to find what ports to allow then you can help me with that.
0
 
alg205Author Commented:
I cleared my Pix config and tried that and still the same problem. Here is my Pix config.

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:c44438734d7387603bf330d9b91cc51f
: end
[OK]


I appreciate your help. Let me know if you need any more info.
0
 
Cyclops3590Connect With a Mentor Commented:
ok create an acl that we'll use for a capture.  
access-list capture ip host interface outside host <<ip of sonicwall>>
access-list capture ip host <<ip of sonicwall>> host interface outside

now create a capture using that acl on the outside interface and see what it gives.  in this we're just looking for what ports are being used.

next, which is more difficult if you don't have a way of setting up a syslog server.  we need logging to either level 3 or 4 (can't remember which; but the level at which deny's are logged; I always have mine set to 4)  here we want to see any denies involving the ip of the sonicwall.  its easier with a syslog server as the buffer can possibly get filled up too quickly and then we'll miss what we want.
0
 
alg205Author Commented:
I tried to add that via telnet and I got this.......

pixfirewall(config)# access-list capture ip host interface outside host 207.59$
ERROR:<ip> not a valid permission
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
pixfirewall(config)#


looks like a syntax error I have tried to figure it out. maybe you can.

Jon
0
 
Cyclops3590Commented:
doh, i always forget the permit :)
access-list capture permit ip host interface outside host 207...

that will get it working
0
 
alg205Author Commented:
I can not get any of those cammand to work. I am still getting syntax errors.
0
 
alg205Author Commented:
I  think I figured out how to capture below is what I came up with.


20:17:04.177725 arp who-has 72.23.97.58 tell 72.23.97.1
20:17:05.010192 arp who-has 24.154.155.125 tell 24.154.155.1
20:17:05.091654 arp who-has 24.154.62.205 tell 24.154.62.1
20:17:07.118768 arp who-has 10.45.180.158 tell 10.45.176.1
20:17:07.609785 arp who-has 72.23.97.175 tell 72.23.97.1
20:17:07.814014 arp who-has 24.154.155.25 tell 24.154.155.1
20:17:09.900740 arp who-has 72.23.221.220 tell 72.23.221.1
20:17:10.625166 arp who-has 72.23.97.134 tell 72.23.97.1
20:17:10.884750 arp who-has 24.154.155.68 tell 24.154.155.1
20:17:10.889724 arp who-has 72.23.97.129 tell 72.23.97.1
20:17:11.043729 arp who-has 24.154.62.111 tell 24.154.62.1
20:17:11.316908 arp who-has 72.23.97.77 tell 72.23.97.1
20:17:11.381984 arp who-has 72.23.97.212 tell 72.23.97.1
20:17:12.780385 arp who-has 72.23.97.75 tell 72.23.97.1
20:17:13.200383 24.154.215.xx.1 > 207.59.xx.xxx.500:  udp 1392
20:17:13.257417 arp who-has 72.23.221.38 tell 72.23.221.1
20:17:13.930753 arp who-has 24.154.155.109 tell 24.154.155.1
20:17:14.606795 arp who-has 24.154.215.xx tell 24.154.215.1
20:17:14.621473 arp who-has 24.154.62.241 tell 24.154.62.1
20:17:15.777074 arp who-has 72.23.221.127 tell 72.23.221.1
20:17:16.619215 24.154.215.xx.1 > 207.59.xx.xxx.500:  udp 1392
20:17:20.654171 arp who-has 72.23.97.61 tell 72.23.97.1
20:17:20.657162 arp who-has 24.154.62.45 tell 24.154.62.1


I have tried to open port 1392 not sure if I did it right.

here is my current pix config.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_vpn_nat permit ip 192.168.1.0 255.255.255.0 host 207.59.xx.xxx
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any eq 1392 interface outside eq 1392
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 24.154.215.xx 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.154.215.0 1392 192.168.1.0 1392 netmask 255.255.2
55.0 0 0
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:7e289b645593c5565f2e40b62eb3c2c8
0
 
alg205Author Commented:
OK here is the update.

I figured out what ports to open and I can login to my vpn now but it doesnt assign an IP address to my virtual adapter so my connection is still useless. Is there something else I need to open?
0
 
Cyclops3590Connect With a Mentor Commented:
that's really odd that you had to allow ports like that.  by default higher security interfaces are allowed to go to lower security interfaces without exception.  anyway, now its the sonicwall as that is the device that issues out the ip for the vpn connection.  And since I've never dealt with those I really can't help there.  Since it works from home though, I'm wondering about how the sonicwall is configured.  I know in a pix you have to all nat traversal before it uses UDP/TCP encapsulation of protocol 50 or 51 instead of just the protocol.  At home is your computer connected directly to the internet or to a nat device.
0
 
alg205Author Commented:
At home my setup is  Computer-->Cisco Pix-->Cable Modem. That's it.
0
 
alg205Author Commented:
oh one more thing I opened udp 500 to get the sonicwall to let me login. still cant get an ip address from sonicwall. Sonicwall does the DHCP and I can get an ip address when I bypass the Cisco Pix at home.
0
 
alg205Author Commented:
I really appreciate your help I will look at the settings on my Sonicwall here at work and see how it's setup and I will let you know. Even if you and I cant get this completely resolved you will still get some points because yopu did get me this far.
0
 
alg205Author Commented:
Ok I checked the Sonicwall config and NAT-T was not enabled I enabled it and I will give it a shot. I read about NAT-T and it definetly looks like the problem. I will post again tonight.
0
 
alg205Author Commented:
After opening Ports udp 500 and 4500, I was able to login to the vpn. I also allowed ports 50 and 51 not sure what that did. Once I enabled NAT-T on the Sonicwall Client, it assigned an IP address. I am up and running. Thanks for your help I am awarding you the 500 points.
0
 
alg205Author Commented:
I am up and running. Thanks again for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.