Solved

Need to add to ACL to allow a Sonicwall Global VPN Client from in to out through ASA 5520

Posted on 2009-04-13
6
1,659 Views
Last Modified: 2012-05-06
Having issues with consultant on the inside trying to VPN to his office Sonicwall.  I verified it works on an outside connection and I see his headend IP being denied in my ASA log.  His Sonicwall client never gets an IP.  It appears stuck at the "connecting" phase.

I already have an Outside access in ACL, can I just add the line below?
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
...or is there more to it.
0
Comment
Question by:basec0m
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24134439
Haven't personally use sonicwall vpn, but if it uses ipsec try opening port 50 and 4500 as well.
isakmp is port 500
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24136594
To be clear, the chap tryign to use the Sonic GPVN client on his laptop to access *his* office is currently in YOUR office behind your ASA firewall?

I've never had problems with GVPN on a natted workstation behind a firewall getting OUT to see a host Sonicwall on my own lan. (Though I can't promise, obviously, that I've tried to do so in all possible situations!!!)   IME you should NOT need to "permit" any inwards traffic explicitly, only traffic which comes back in as a response to what his s/w sends out.

Are you permitting ANY outwards traffic from the workstation to the WAN? (And, of course, permitting back in the responses)?

If your log file shows denied packets at the time he's trying to connect can you not PERMIT such packets?

I'd also be interested to see what his Sonicwall log shows when he tries to connect - you can also increase the logging on the Global Client, which may produce useful input.

0
 

Author Comment

by:basec0m
ID: 24139244
Yes, the consultant is INSIDE trying to vpn OUTSIDE through my ASA to his sonicwall.  It appears his client is not receiving an IP from his sonicwall device.  My ASA appears to be blocking this.  I need to know the exact ACL to put in if anyone can help... Thanks

I have seen this in other configs
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq non-500 isakmp
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:basec0m
ID: 24140356
Oh, I forgot to add... I have already enabled nat-traversal 30....
0
 

Accepted Solution

by:
basec0m earned 0 total points
ID: 24142059
Nevermind... spoke with the admin on the other side and he enabled nat-t on his side.  Works like a charm now.  
Cheers
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24143493
Why doesn't he want to award points? its not costing him anything? And we were helping him and would've perhaps got to tghe buttom of the problem sooner if he'd actually posted some of the log entries he was seeing...
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question