Site to site VPN between cisco asa and sonicwall

Hi I've got 2 cisco asa on Active/standby configuration.

and Im trying to establish a site-to-site VPN with sonicwall in our remote office.

Ive tried creating a VPN using the ASDM but it doesnt work.

the public IP on the outside interface on

ASA1 is 56.xx.xxx.21
ASA2 is 56.xx.xxx.22

i've also got 56.xx.xxx.23 free if possible i can use it as balancing IP; so if 1 asa fails the other one can be take over. (is it possible?????)
the sonicwall in the remote office is configured with the following settings.

IKE (Phase1) Proposal

Main Mode, group 2, 3DES-MD5, lifetime 86400

IPsec (Phase 2) proposal

ESP-3DES-MD5, lifetime 28800.


can sonicwall create an IPSEC tunnel with cisco asa?? and how will do it??

 any help will be greatly appreciated.


Result of the command: "show run"

: Saved
:
ASA Version 8.0(4) 
!
hostname ukhyperasa
domain-name ho.hypersystems.uk
enable password XXXXX2puquh encrypted
passwd xxxxxxxx2puquh encrypted
names
name 192.168.0.0 HS
name 56.xx.xxx.0 challenge
name 192.168.200.0 korea
name 56.xx.xxx.22 HO
!
interface GigabitEthernet0/0
 nameif inside
 security-level 85
 ip address 192.168.1.254 255.255.252.0 standby 192.168.1.253 
 ospf cost 10
!
interface GigabitEthernet0/1
 nameif vlan16
 security-level 80
 ip address 192.168.3.254 255.255.252.0 
 ospf cost 10
!
interface GigabitEthernet0/2
 nameif vlan17
 security-level 75
 ip address 10.17.3.254 255.255.252.0 
 ospf cost 10
!
interface GigabitEthernet0/3
 nameif Outside
 security-level 0
 ip address 52.xx.xxx.17 255.255.255.240 standby 52.xx.xxx.18 
 ospf cost 10
!
interface Management0/0
 description LAN/STATE Failover Interface
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ho.hypersystems.uk
access-list inside extended permit ip any any 
access-list inside extended permit ip host 192.168.3.200 any 
access-list inside extended permit icmp any any 
access-list cms extended permit icmp any any 
access-list cms extended permit tcp any host 52.xx.xxx.20 eq https 
access-list cms extended permit tcp any host 52.xx.xxx.20 eq www 
access-list cms extended permit tcp any host 52.xx.xxx.21 eq 6000 
access-list cms extended permit tcp any host 52.xx.xxx.21 eq 6001 
access-list cms extended permit tcp any host 52.xx.xxx.21 eq 6002 
access-list cms extended permit tcp any host 52.xx.xxx.21 eq 8030 
access-list cms extended permit tcp any host 52.xx.xxx.21 eq 9036 
access-list cms extended permit tcp any host 52.xx.xxx.23 eq 3001 
access-list cms extended permit tcp any host 52.xx.xxx.23 eq 3002 
access-list cms extended permit tcp any host 52.xx.xxx.23 eq 3003 
access-list cms extended permit tcp any host 52.xx.xxx.23 eq 3004 
access-list cms extended permit tcp any host 52.xx.xxx.23 eq 3005 
access-list cms extended permit tcp any host 52.xx.xxx.25 eq ftp 
access-list HS-l2l extended permit ip 192.168.1.0 255.255.252.0 HS 255.255.252.0 
access-list HS-l2l extended permit ip 192.168.2.0 255.255.252.0 HS 255.255.252.0 
access-list HS-l2l extended permit ip 192.168.3.0 255.255.252.0 HS 255.255.252.0 
access-list outside-no-nat extended permit ip 192.168.1.0 255.255.252.0 HS 255.255.252.0 
access-list outside-no-nat extended permit ip 192.168.2.0 255.255.252.0 HS 255.255.252.0 
access-list outside-no-nat extended permit ip 192.168.3.0 255.255.252.0 HS 255.255.252.0 
access-list outside-no-nat extended permit ip 192.168.1.0 255.255.252.0 korea 255.255.255.0 
access-list internal extended permit ip any any 
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.252.0 korea 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan16 1500
mtu vlan17 1500
mtu Outside 1500
failover
failover lan unit primary
failover lan interface Failoverlink Management0/0
failover polltime unit 15 holdtime 45
failover link Failoverlink Management0/0
failover interface ip Failoverlink 192.168.100.1 255.255.255.0 standby 192.168.100.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 60
global (Outside) 1 interface
nat (inside) 0 access-list outside-no-nat
nat (inside) 1 192.168.1.0 255.255.252.0
static (inside,vlan16) 192.168.1.0 192.168.2.0 netmask 255.255.252.0 
static (inside,vlan17) 192.168.1.0 192.168.3.0 netmask 255.255.252.0 
static (vlan16,vlan17) 192.168.2.0 192.168.3.0 netmask 255.255.252.0 
static (inside,Outside) 52.xx.xxx.20 192.168.1.50 netmask 255.255.255.255 
static (inside,Outside) 52.xx.xxx.21 192.168.1.51 netmask 255.255.255.255 
static (inside,Outside) 52.xx.xxx.23 192.168.1.180 netmask 255.255.255.255 
static (inside,Outside) 52.xx.xxx.25 192.168.1.172 netmask 255.255.255.255 
access-group internal in interface inside
access-group internal in interface vlan16
access-group internal in interface vlan17
access-group cms in interface Outside
route Outside 0.0.0.0 0.0.0.0 52.xx.xxx.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map maptous 15 set security-association lifetime seconds 28800
crypto map maptous 15 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set connection-type answer-only
crypto map Outside_map 1 set peer HO 
crypto map Outside_map 1 set transform-set ESP-3DES-MD5
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.252.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 56.xx.xxx.22 type ipsec-l2l
tunnel-group 56.xx.xxx.22 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:3aec9862a6cc5c88373e766b9bd1a396
: end

Open in new window

harry738Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zwart072Commented:
yes you can create a site2site vpn with a sonic firewall.

You wrote:
the public IP on the outside interface on
ASA1 is 56.xx.xxx.21
ASA2 is 56.xx.xxx.22'
But in your configurattion the ip adres of the outside is 56.XX.XXX.17
You should setup you sonic firewall to connect to the.17 adres, unless you want to terminate the vpn to another device than you shoud use the static command. What i made up out of your question is that you want to terminate the vpn session to the asa, and then you've the use the outside adres which is now .17


0
harry738Author Commented:
Im so sorry thats my mistake

its typing mistake. ASA1 is 56.xx.xxx.17 and the sonicwall is pointing to .17

0
nbywaterCommented:
What are you seeing in your debugs/logs? I know some other vendors do not like to have multiple entries in the encryption domain, so I would verify the sonicwall has the network specified as how you do, and I am supprised the ASA allowed you to add 192.168.1.0/22 to the ACL. Also, if i remember correctly, the sonicwal has a couple different way of adding IPs to the encryption domain (or local traffic on the sonicwall),:

host
range
network

Make sure that the remote end specifies network. Cisco likes the subnet mask being sent in the encryption domain.

Hope this helps.
0
harry738Author Commented:
ok I got this working guys,

basically I had to add the peer ID in the sonicwall and also in the ASDM for cisco.

secondly the americans managing the sonicwall had one the IKE parameters wrong.

all sorted thanks alot for help everyone.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.