Solved

How do I allow my Cisco VPN subnet usres to browse local computers through SonicWall TZ210.

Posted on 2011-09-21
8
677 Views
Last Modified: 2012-05-12
I recently replaced my ASA 5505 with a SonicWall TZ210 because I wanted more reporting and gateway AV. My sonic wall only came with 2 SSL VPN and 15 client licenses. My Cisco ASA 5505 is still a great device so I am using it for VPN access to the network. I have a subnet of 192.168.38.x assigned to users that connect via the Cisco VPN but once they connect they can no longer connect to anything. I know when I installed the Sonic Wall I had to add a route to my second office's subnet and that works great now. I tried to do the same for the CIsco VPN subnet but it does not seem to be working. Any suggestions of what I need to add to the sonic wall or cisco device to make the traffic work like before?

I currently have 4 subnets
Main office 192.168.18.x
West office 192.168.20.x
Sonic Wall L2TP 192.168.28.x
Cisco VPN 192.168.38.x

The cisco is the only one not working.
0
Comment
Question by:dpickard
  • 3
  • 3
  • 2
8 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36573996
So you want the VPN clients to be able to connect to the other three networks?

Looks like a routing/NAT issue to me. Can we have a look at the config of the ASA?
0
 

Author Comment

by:dpickard
ID: 36574262
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password U8NlZIxLmGMguJQQ encrypted
passwd U8NlZIxLmGMguJQQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.18.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list VPN_splitTunnelAcl standard permit 192.168.18.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.19.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.18.0 255.255.255.0 192.168.38.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.38.240 255.255.255.240
access-list outside_cryptomap extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq https
pager lines 24
logging enable
logging trap informational
logging history informational
logging asdm informational
logging from-address dpickard@plazare.com
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 192.168.38.240-192.168.38.250 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.18.13 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.20.0 255.255.255.0 192.168.18.1 1
route outside 0.0.0.0 0.0.0.0 66.148.149.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.18.0 255.255.255.0 inside
snmp-server host inside 192.168.18.12 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  60
telnet 192.168.18.51 255.255.255.255 inside
telnet 192.168.18.78 255.255.255.255 inside
telnet timeout 5
ssh 192.168.18.51 255.255.255.255 inside
ssh 192.168.18.78 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
!
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd ping_timeout 60 interface inside
dhcpd domain corp.*********.com interface inside
dhcpd auto_config outside interface inside
!

webvpn
 enable outside
group-policy VPN internal
group-policy VPN attributes
 wins-server value 192.168.18.15 192.168.18.10
 dns-server value 192.168.18.15 192.168.18.10
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value corp.plazare.com
username ********* password WfkzEpwHgu1rEgzs encrypted privilege 0
username ******** attributes
 vpn-group-policy VPN
 group-lock value VPN
username ********** password ZcTRS/oD3tGTSGBU encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
username ********** password xXoxvfZCnZWlmSM. encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter auto-download
username *********** password nTvQShvhidZxQtJT encrypted privilege 0
username *********** attributes
 vpn-group-policy VPN
username *********** password WU4i3KI1YfEDat5H encrypted privilege 0
username************ attributes
 vpn-group-policy VPN
username ********** password jWldytVlFbBDxHqW encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
username ********* password ddk6vJNYGjlbGaRE encrypted privilege 0
username ********* attributes
 vpn-group-policy VPN
 group-lock value VPN
username********** password LKsiUX.QwG2w4s/H encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
username ********** password pyB3KRnsUDEMKmUW encrypted privilege 0
username ********** attributes
 vpn-group-policy VPN
username *********** password 9zkg0QiDp2LD9QcF encrypted privilege 0
username *********** attributes
 vpn-group-policy VPN
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPN_POOL
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:853bc4ecb2e28f16b24cd3af3f5fced3
: end
asdm image disk0:/asdm-524.bin
asdm location 192.168.20.87 255.255.255.255 inside
asdm history enable
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36574368
ASA config looks fine, are you sure there are route configured on 192.168.18.0 and 192.168.20.0 networks for 192.168.38.0 network? If SonicWall is your default gateway for those networks, make sure it has a route to 192.168.38.0 pointing to ASA
0
 

Accepted Solution

by:
dpickard earned 0 total points
ID: 36574749
That is where I am having the problem. I am unsure about how to add a rule or where to add it. Do I add it under routing? I tried doing a similar rule like I did with the one to my west office. Below is how I have the route setup to my west office. The 192.168.20.4 is a Cisco Router supplied by our ISP. When I try to do a similar setup for the 192.168.38.0 as the destinaction and the Cisco ASA as the gateway it crashes the Sonic Wall. Do I need to set it under routing or through access rules?

Source: Any
Destination: 192.168.20.0/255.255.255.0
Service: Any
Gateway: 192.168.20.4/255.255.255.255
Interface: X0
Metric:20
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 18

Expert Comment

by:fgasimzade
ID: 36574785
Well, I am not familiar with SonicWall, but I guess you need to set it up under routing.

Are you sure you paste it correctly? Logically it should be like this:

Source: Any
Destination: 192.168.18.0/255.255.255.0
Service: Any
Gateway: 192.168.20.4/255.255.255.255
Interface: X0
Metric:20
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 36579953
One other thing: add the following to the asa, 'sysopt connection permit-vpn'
The vpn clients should be able to see a lot more then ;)

0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 36579984
And with regrds to the routing, that should be something like:

Source: Any
Destination: 192.168.38.0/255.255.255.0
Service: Any
Gateway: 192.168.18.253/255.255.255.255
Interface: X0
Metric:2

The X0 interface is the one in the 192.168.8.0 network?
And as you can see, I personally would lower the metric.
0
 

Author Closing Comment

by:dpickard
ID: 36708103
I had thought I had tried that but apparently I did not because it did not crash when I did and now I can reach the computers. Now I just have to get dns working right so I can rdp by hostnames instead of dns. Thanks.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Read about achieving the basic levels of HRIS security in the workplace.
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now