Solved

Need to add to ACL to allow a Sonicwall Global VPN Client from in to out through ASA 5520

Posted on 2009-04-13
6
1,646 Views
Last Modified: 2012-05-06
Having issues with consultant on the inside trying to VPN to his office Sonicwall.  I verified it works on an outside connection and I see his headend IP being denied in my ASA log.  His Sonicwall client never gets an IP.  It appears stuck at the "connecting" phase.

I already have an Outside access in ACL, can I just add the line below?
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
...or is there more to it.
0
Comment
Question by:basec0m
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24134439
Haven't personally use sonicwall vpn, but if it uses ipsec try opening port 50 and 4500 as well.
isakmp is port 500
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24136594
To be clear, the chap tryign to use the Sonic GPVN client on his laptop to access *his* office is currently in YOUR office behind your ASA firewall?

I've never had problems with GVPN on a natted workstation behind a firewall getting OUT to see a host Sonicwall on my own lan. (Though I can't promise, obviously, that I've tried to do so in all possible situations!!!)   IME you should NOT need to "permit" any inwards traffic explicitly, only traffic which comes back in as a response to what his s/w sends out.

Are you permitting ANY outwards traffic from the workstation to the WAN? (And, of course, permitting back in the responses)?

If your log file shows denied packets at the time he's trying to connect can you not PERMIT such packets?

I'd also be interested to see what his Sonicwall log shows when he tries to connect - you can also increase the logging on the Global Client, which may produce useful input.

0
 

Author Comment

by:basec0m
ID: 24139244
Yes, the consultant is INSIDE trying to vpn OUTSIDE through my ASA to his sonicwall.  It appears his client is not receiving an IP from his sonicwall device.  My ASA appears to be blocking this.  I need to know the exact ACL to put in if anyone can help... Thanks

I have seen this in other configs
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq non-500 isakmp
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:basec0m
ID: 24140356
Oh, I forgot to add... I have already enabled nat-traversal 30....
0
 

Accepted Solution

by:
basec0m earned 0 total points
ID: 24142059
Nevermind... spoke with the admin on the other side and he enabled nat-t on his side.  Works like a charm now.  
Cheers
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24143493
Why doesn't he want to award points? its not costing him anything? And we were helping him and would've perhaps got to tghe buttom of the problem sooner if he'd actually posted some of the log entries he was seeing...
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question