Sonice Wall / Cisco VPN compatibility

bill_lynch
bill_lynch used Ask the Experts™
on
Greetings:

I am attempting to connect via a SonicWall VPN to a client of ours.  We use an ASA firewall here at the office.  I get authenticated to the VPN but I do not recieve an address.  It's been proven that the SonicWall VPN works fine outside of the office.  Are there ports that need opened on a ASA firewall to get the IP Address from the SoniceWall, or ports from the SonicWall that need opened in general?

Thanks,
Bill
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Could you paste your config or ACL's?

Author

Commented:
Not at the moment.  I am behind the companies firewall and the person with the password isn't here.  I have the same firewall at home so I'll try to connect up in like 3 or 4 hours and I'll post my config.  I just wanted to post the question now to see if someone had run into this and knew off the top of their head what they did to resolve.
It sounds to me like either an ACL issue or a CBAC inspect issue right now.

Author

Commented:
Alright.  I'll get the config on here later tonight.
Does this occur on more than one machine at your office there?

Author

Commented:
yes.  we've tested from multiple machines, multiple platforms.  We've tweaked every sonicwall vpn client propertie that we found via the web.  We've narrowed it down to the ASA.  I have an ASA at home as well so I'll be able to confirm this in a few hours.

Author

Commented:
alright, here it is.  as expected I can't connect via the sonicwall vpn from the asa at the house either:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 mac-address 001a.a026.f333
 nameif outside
 security-level 5
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec Warning!  Unauthorized Access Not Permitted!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 4.2.2.1
 domain-name default.domain.invalid
access-list fromoutside extended permit icmp any any
access-list fromoutside extended permit icmp any any echo
access-list fromoutside extended permit icmp any any echo-reply
access-list fromoutside extended permit icmp any any unreachable
access-list fromoutside extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group fromoutside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222
dhcpd auto_config outside
!
dhcpd address 192.168.10.2-192.168.10.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fe6961e1780e4eddbb2d4ed91203dc71
: end
What is the network scheme at the client and at home? Are they also 192.168.10.x?
@ naughton - His problem involves SonicWALL GVC, not a site-to-site. And that firmware version you linked to is very old, I doubt the client is running that.
@ bill_lynch - Try running the following commands, it looks like you need to enable VPN pass-through on your global inspect and NAT-Traversal:

crypto isakmp nat-traversal

policy-map  global_policy
class inspection_default
inspect  ipsec-pass-thru

You might have to allow port 500 and 4500 from the outside as well:
access-list fromoutside extended permit udp  any any eq 500
access-list fromoutside extended permit  udp any any eq 4500

Commented:
this also:

access-list fromoutside extended permit esp  any any
access-list fromoutside extended permit ah  any any

Author

Commented:
almost answer.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial