?
Solved

Need to add to ACL to allow a Sonicwall Global VPN Client from in to out through ASA 5520

Posted on 2009-04-13
6
Medium Priority
?
1,674 Views
Last Modified: 2012-05-06
Having issues with consultant on the inside trying to VPN to his office Sonicwall.  I verified it works on an outside connection and I see his headend IP being denied in my ASA log.  His Sonicwall client never gets an IP.  It appears stuck at the "connecting" phase.

I already have an Outside access in ACL, can I just add the line below?
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
...or is there more to it.
0
Comment
Question by:basec0m
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24134439
Haven't personally use sonicwall vpn, but if it uses ipsec try opening port 50 and 4500 as well.
isakmp is port 500
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24136594
To be clear, the chap tryign to use the Sonic GPVN client on his laptop to access *his* office is currently in YOUR office behind your ASA firewall?

I've never had problems with GVPN on a natted workstation behind a firewall getting OUT to see a host Sonicwall on my own lan. (Though I can't promise, obviously, that I've tried to do so in all possible situations!!!)   IME you should NOT need to "permit" any inwards traffic explicitly, only traffic which comes back in as a response to what his s/w sends out.

Are you permitting ANY outwards traffic from the workstation to the WAN? (And, of course, permitting back in the responses)?

If your log file shows denied packets at the time he's trying to connect can you not PERMIT such packets?

I'd also be interested to see what his Sonicwall log shows when he tries to connect - you can also increase the logging on the Global Client, which may produce useful input.

0
 

Author Comment

by:basec0m
ID: 24139244
Yes, the consultant is INSIDE trying to vpn OUTSIDE through my ASA to his sonicwall.  It appears his client is not receiving an IP from his sonicwall device.  My ASA appears to be blocking this.  I need to know the exact ACL to put in if anyone can help... Thanks

I have seen this in other configs
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq non-500 isakmp
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:basec0m
ID: 24140356
Oh, I forgot to add... I have already enabled nat-traversal 30....
0
 

Accepted Solution

by:
basec0m earned 0 total points
ID: 24142059
Nevermind... spoke with the admin on the other side and he enabled nat-t on his side.  Works like a charm now.  
Cheers
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24143493
Why doesn't he want to award points? its not costing him anything? And we were helping him and would've perhaps got to tghe buttom of the problem sooner if he'd actually posted some of the log entries he was seeing...
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question