Solved

Need to add to ACL to allow a Sonicwall Global VPN Client from in to out through ASA 5520

Posted on 2009-04-13
6
1,636 Views
Last Modified: 2012-05-06
Having issues with consultant on the inside trying to VPN to his office Sonicwall.  I verified it works on an outside connection and I see his headend IP being denied in my ASA log.  His Sonicwall client never gets an IP.  It appears stuck at the "connecting" phase.

I already have an Outside access in ACL, can I just add the line below?
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
...or is there more to it.
0
Comment
Question by:basec0m
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24134439
Haven't personally use sonicwall vpn, but if it uses ipsec try opening port 50 and 4500 as well.
isakmp is port 500
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24136594
To be clear, the chap tryign to use the Sonic GPVN client on his laptop to access *his* office is currently in YOUR office behind your ASA firewall?

I've never had problems with GVPN on a natted workstation behind a firewall getting OUT to see a host Sonicwall on my own lan. (Though I can't promise, obviously, that I've tried to do so in all possible situations!!!)   IME you should NOT need to "permit" any inwards traffic explicitly, only traffic which comes back in as a response to what his s/w sends out.

Are you permitting ANY outwards traffic from the workstation to the WAN? (And, of course, permitting back in the responses)?

If your log file shows denied packets at the time he's trying to connect can you not PERMIT such packets?

I'd also be interested to see what his Sonicwall log shows when he tries to connect - you can also increase the logging on the Global Client, which may produce useful input.

0
 

Author Comment

by:basec0m
ID: 24139244
Yes, the consultant is INSIDE trying to vpn OUTSIDE through my ASA to his sonicwall.  It appears his client is not receiving an IP from his sonicwall device.  My ASA appears to be blocking this.  I need to know the exact ACL to put in if anyone can help... Thanks

I have seen this in other configs
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq isakmp
access-list Outside_access_in extended permit udp host xx.xxx.xx.xxx any eq non-500 isakmp
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:basec0m
ID: 24140356
Oh, I forgot to add... I have already enabled nat-traversal 30....
0
 

Accepted Solution

by:
basec0m earned 0 total points
ID: 24142059
Nevermind... spoke with the admin on the other side and he enabled nat-t on his side.  Works like a charm now.  
Cheers
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24143493
Why doesn't he want to award points? its not costing him anything? And we were helping him and would've perhaps got to tghe buttom of the problem sooner if he'd actually posted some of the log entries he was seeing...
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lync - CUCM Integration Question 2 34
Internet Connection -- PING testing ? 1 42
ASA ISP failover 3 23
Cisco IPSec VPN Connection with Mac only sees Public folder 19 31
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question