Link to home
Start Free TrialLog in
Avatar of dpickard
dpickardFlag for United States of America

asked on

How do I allow my Cisco VPN subnet usres to browse local computers through SonicWall TZ210.

I recently replaced my ASA 5505 with a SonicWall TZ210 because I wanted more reporting and gateway AV. My sonic wall only came with 2 SSL VPN and 15 client licenses. My Cisco ASA 5505 is still a great device so I am using it for VPN access to the network. I have a subnet of 192.168.38.x assigned to users that connect via the Cisco VPN but once they connect they can no longer connect to anything. I know when I installed the Sonic Wall I had to add a route to my second office's subnet and that works great now. I tried to do the same for the CIsco VPN subnet but it does not seem to be working. Any suggestions of what I need to add to the sonic wall or cisco device to make the traffic work like before?

I currently have 4 subnets
Main office 192.168.18.x
West office 192.168.20.x
Sonic Wall L2TP 192.168.28.x
Cisco VPN 192.168.38.x

The cisco is the only one not working.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

So you want the VPN clients to be able to connect to the other three networks?

Looks like a routing/NAT issue to me. Can we have a look at the config of the ASA?
Avatar of dpickard

ASKER

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password U8NlZIxLmGMguJQQ encrypted
passwd U8NlZIxLmGMguJQQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.18.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list VPN_splitTunnelAcl standard permit 192.168.18.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.19.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.18.0 255.255.255.0 192.168.38.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.38.240 255.255.255.240
access-list outside_cryptomap extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq https
pager lines 24
logging enable
logging trap informational
logging history informational
logging asdm informational
logging from-address dpickard@plazare.com
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 192.168.38.240-192.168.38.250 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.18.13 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.20.0 255.255.255.0 192.168.18.1 1
route outside 0.0.0.0 0.0.0.0 66.148.149.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.18.0 255.255.255.0 inside
snmp-server host inside 192.168.18.12 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  60
telnet 192.168.18.51 255.255.255.255 inside
telnet 192.168.18.78 255.255.255.255 inside
telnet timeout 5
ssh 192.168.18.51 255.255.255.255 inside
ssh 192.168.18.78 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
!
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd ping_timeout 60 interface inside
dhcpd domain corp.*********.com interface inside
dhcpd auto_config outside interface inside
!

webvpn
 enable outside
group-policy VPN internal
group-policy VPN attributes
 wins-server value 192.168.18.15 192.168.18.10
 dns-server value 192.168.18.15 192.168.18.10
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value corp.plazare.com
username ********* password WfkzEpwHgu1rEgzs encrypted privilege 0
username ******** attributes
 vpn-group-policy VPN
 group-lock value VPN
username ********** password ZcTRS/oD3tGTSGBU encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
username ********** password xXoxvfZCnZWlmSM. encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter auto-download
username *********** password nTvQShvhidZxQtJT encrypted privilege 0
username *********** attributes
 vpn-group-policy VPN
username *********** password WU4i3KI1YfEDat5H encrypted privilege 0
username************ attributes
 vpn-group-policy VPN
username ********** password jWldytVlFbBDxHqW encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
username ********* password ddk6vJNYGjlbGaRE encrypted privilege 0
username ********* attributes
 vpn-group-policy VPN
 group-lock value VPN
username********** password LKsiUX.QwG2w4s/H encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
username ********** password pyB3KRnsUDEMKmUW encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
username *********** password 9zkg0QiDp2LD9QcF encrypted privilege 0
username *********** attributes
 vpn-group-policy VPN
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPN_POOL
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:853bc4ecb2e28f16b24cd3af3f5fced3
: end
asdm image disk0:/asdm-524.bin
asdm location 192.168.20.87 255.255.255.255 inside
asdm history enable
ASA config looks fine, are you sure there are route configured on 192.168.18.0 and 192.168.20.0 networks for 192.168.38.0 network? If SonicWall is your default gateway for those networks, make sure it has a route to 192.168.38.0 pointing to ASA
ASKER CERTIFIED SOLUTION
Avatar of dpickard
dpickard
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Well, I am not familiar with SonicWall, but I guess you need to set it up under routing.

Are you sure you paste it correctly? Logically it should be like this:

Source: Any
Destination: 192.168.18.0/255.255.255.0
Service: Any
Gateway: 192.168.20.4/255.255.255.255
Interface: X0
Metric:20
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I had thought I had tried that but apparently I did not because it did not crash when I did and now I can reach the computers. Now I just have to get dns working right so I can rdp by hostnames instead of dns. Thanks.