dpickard
asked on
How do I allow my Cisco VPN subnet usres to browse local computers through SonicWall TZ210.
I recently replaced my ASA 5505 with a SonicWall TZ210 because I wanted more reporting and gateway AV. My sonic wall only came with 2 SSL VPN and 15 client licenses. My Cisco ASA 5505 is still a great device so I am using it for VPN access to the network. I have a subnet of 192.168.38.x assigned to users that connect via the Cisco VPN but once they connect they can no longer connect to anything. I know when I installed the Sonic Wall I had to add a route to my second office's subnet and that works great now. I tried to do the same for the CIsco VPN subnet but it does not seem to be working. Any suggestions of what I need to add to the sonic wall or cisco device to make the traffic work like before?
I currently have 4 subnets
Main office 192.168.18.x
West office 192.168.20.x
Sonic Wall L2TP 192.168.28.x
Cisco VPN 192.168.38.x
The cisco is the only one not working.
I currently have 4 subnets
Main office 192.168.18.x
West office 192.168.20.x
Sonic Wall L2TP 192.168.28.x
Cisco VPN 192.168.38.x
The cisco is the only one not working.
ASKER
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password U8NlZIxLmGMguJQQ encrypted
passwd U8NlZIxLmGMguJQQ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.18.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list VPN_splitTunnelAcl standard permit 192.168.18.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.19.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.18.0 255.255.255.0 192.168.38.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.38.240 255.255.255.240
access-list outside_cryptomap extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq https
pager lines 24
logging enable
logging trap informational
logging history informational
logging asdm informational
logging from-address dpickard@plazare.com
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 192.168.38.240-192.168.38. 250 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.18.13 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.20.0 255.255.255.0 192.168.18.1 1
route outside 0.0.0.0 0.0.0.0 66.148.149.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.18.0 255.255.255.0 inside
snmp-server host inside 192.168.18.12 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
telnet 192.168.18.51 255.255.255.255 inside
telnet 192.168.18.78 255.255.255.255 inside
telnet timeout 5
ssh 192.168.18.51 255.255.255.255 inside
ssh 192.168.18.78 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
!
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd ping_timeout 60 interface inside
dhcpd domain corp.*********.com interface inside
dhcpd auto_config outside interface inside
!
webvpn
enable outside
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.18.15 192.168.18.10
dns-server value 192.168.18.15 192.168.18.10
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value corp.plazare.com
username ********* password WfkzEpwHgu1rEgzs encrypted privilege 0
username ******** attributes
vpn-group-policy VPN
group-lock value VPN
username ********** password ZcTRS/oD3tGTSGBU encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
username ********** password xXoxvfZCnZWlmSM. encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter auto-download
username *********** password nTvQShvhidZxQtJT encrypted privilege 0
username *********** attributes
vpn-group-policy VPN
username *********** password WU4i3KI1YfEDat5H encrypted privilege 0
username************ attributes
vpn-group-policy VPN
username ********** password jWldytVlFbBDxHqW encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
username ********* password ddk6vJNYGjlbGaRE encrypted privilege 0
username ********* attributes
vpn-group-policy VPN
group-lock value VPN
username********** password LKsiUX.QwG2w4s/H encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
username ********** password pyB3KRnsUDEMKmUW encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
username *********** password 9zkg0QiDp2LD9QcF encrypted privilege 0
username *********** attributes
vpn-group-policy VPN
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
address-pool VPN_POOL
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:853bc4ecb2e 28f16b24cd 3af3f5fced 3
: end
asdm image disk0:/asdm-524.bin
asdm location 192.168.20.87 255.255.255.255 inside
asdm history enable
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password U8NlZIxLmGMguJQQ encrypted
passwd U8NlZIxLmGMguJQQ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.18.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list VPN_splitTunnelAcl standard permit 192.168.18.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.19.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.18.0 255.255.255.0 192.168.38.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.38.240 255.255.255.240
access-list outside_cryptomap extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq https
pager lines 24
logging enable
logging trap informational
logging history informational
logging asdm informational
logging from-address dpickard@plazare.com
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 192.168.38.240-192.168.38.
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.18.13 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.20.0 255.255.255.0 192.168.18.1 1
route outside 0.0.0.0 0.0.0.0 66.148.149.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.18.0 255.255.255.0 inside
snmp-server host inside 192.168.18.12 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
telnet 192.168.18.51 255.255.255.255 inside
telnet 192.168.18.78 255.255.255.255 inside
telnet timeout 5
ssh 192.168.18.51 255.255.255.255 inside
ssh 192.168.18.78 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
!
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd ping_timeout 60 interface inside
dhcpd domain corp.*********.com interface inside
dhcpd auto_config outside interface inside
!
webvpn
enable outside
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.18.15 192.168.18.10
dns-server value 192.168.18.15 192.168.18.10
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value corp.plazare.com
username ********* password WfkzEpwHgu1rEgzs encrypted privilege 0
username ******** attributes
vpn-group-policy VPN
group-lock value VPN
username ********** password ZcTRS/oD3tGTSGBU encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
username ********** password xXoxvfZCnZWlmSM. encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter auto-download
username *********** password nTvQShvhidZxQtJT encrypted privilege 0
username *********** attributes
vpn-group-policy VPN
username *********** password WU4i3KI1YfEDat5H encrypted privilege 0
username************ attributes
vpn-group-policy VPN
username ********** password jWldytVlFbBDxHqW encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
username ********* password ddk6vJNYGjlbGaRE encrypted privilege 0
username ********* attributes
vpn-group-policy VPN
group-lock value VPN
username********** password LKsiUX.QwG2w4s/H encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
username ********** password pyB3KRnsUDEMKmUW encrypted privilege 0
username ********** attributes
vpn-group-policy VPN
username *********** password 9zkg0QiDp2LD9QcF encrypted privilege 0
username *********** attributes
vpn-group-policy VPN
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
address-pool VPN_POOL
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:853bc4ecb2e
: end
asdm image disk0:/asdm-524.bin
asdm location 192.168.20.87 255.255.255.255 inside
asdm history enable
ASA config looks fine, are you sure there are route configured on 192.168.18.0 and 192.168.20.0 networks for 192.168.38.0 network? If SonicWall is your default gateway for those networks, make sure it has a route to 192.168.38.0 pointing to ASA
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well, I am not familiar with SonicWall, but I guess you need to set it up under routing.
Are you sure you paste it correctly? Logically it should be like this:
Source: Any
Destination: 192.168.18.0/255.255.255.0
Service: Any
Gateway: 192.168.20.4/255.255.255.2 55
Interface: X0
Metric:20
Are you sure you paste it correctly? Logically it should be like this:
Source: Any
Destination: 192.168.18.0/255.255.255.0
Service: Any
Gateway: 192.168.20.4/255.255.255.2
Interface: X0
Metric:20
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had thought I had tried that but apparently I did not because it did not crash when I did and now I can reach the computers. Now I just have to get dns working right so I can rdp by hostnames instead of dns. Thanks.
Looks like a routing/NAT issue to me. Can we have a look at the config of the ASA?