Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Need to add to ACL to allow a Sonicwall Global VPN Client from in to out through ASA 5520

Posted on 2009-04-13
6
Medium Priority
?
1,720 Views
Last Modified: 2012-05-06
Having issues with consultant on the inside trying to VPN to his office Sonicwall.  I verified it works on an outside connection and I see his headend IP being denied in my ASA log.  His Sonicwall client never gets an IP.  It appears stuck at the "connecting" phase.

I already have an Outside access in ACL, can I just add the line below?
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
...or is there more to it.
0
Comment
Question by:basec0m
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24134439
Haven't personally use sonicwall vpn, but if it uses ipsec try opening port 50 and 4500 as well.
isakmp is port 500
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24136594
To be clear, the chap tryign to use the Sonic GPVN client on his laptop to access *his* office is currently in YOUR office behind your ASA firewall?

I've never had problems with GVPN on a natted workstation behind a firewall getting OUT to see a host Sonicwall on my own lan. (Though I can't promise, obviously, that I've tried to do so in all possible situations!!!)   IME you should NOT need to "permit" any inwards traffic explicitly, only traffic which comes back in as a response to what his s/w sends out.

Are you permitting ANY outwards traffic from the workstation to the WAN? (And, of course, permitting back in the responses)?

If your log file shows denied packets at the time he's trying to connect can you not PERMIT such packets?

I'd also be interested to see what his Sonicwall log shows when he tries to connect - you can also increase the logging on the Global Client, which may produce useful input.

0
 

Author Comment

by:basec0m
ID: 24139244
Yes, the consultant is INSIDE trying to vpn OUTSIDE through my ASA to his sonicwall.  It appears his client is not receiving an IP from his sonicwall device.  My ASA appears to be blocking this.  I need to know the exact ACL to put in if anyone can help... Thanks

I have seen this in other configs
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq non-500 isakmp
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:basec0m
ID: 24140356
Oh, I forgot to add... I have already enabled nat-traversal 30....
0
 

Accepted Solution

by:
basec0m earned 0 total points
ID: 24142059
Nevermind... spoke with the admin on the other side and he enabled nat-t on his side.  Works like a charm now.  
Cheers
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24143493
Why doesn't he want to award points? its not costing him anything? And we were helping him and would've perhaps got to tghe buttom of the problem sooner if he'd actually posted some of the log entries he was seeing...
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 18 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question