troubleshooting Question

Sonicwall to ASA5505

Avatar of chipsch
chipsch asked on
SBSHardware FirewallsCisco
4 Comments1 Solution401 ViewsLast Modified:
Really odd issue happened last night on a cutover for someone from a Sonicwall to ASA 5505. Configuration on the ASA mirrors the Sonicwall as far as I can tell. The issue at hand was after the cutover connectivity to their SBS server running exchange, etc. went to complete garbage or just flat out no connectivity. Not sure what could be causing the issue. Config is below. Also all of the vpn's came up so the problem just seems to be traffic addressed to the 192.168.1.241

ASA Version 8.2(1)
!
hostname Dallas-asa
enable password 3N9Rti.OPnKePLiY encrypted
passwd 3N9Rti.OPnKePLiY encrypted
names
name x.x.16.18 WAN_IP
name 192.168.1.253 LAN_GW
name x Rancid_Pub
name x TYLER
name x AUSTIN-GEORGETOWN
name x FORT-WORTH
name x Orion_Ext
name x Matrix-ASA
!
interface Vlan1
 description _AUSTIN_LAN
 nameif inside
 security-level 100
 ip address LAN_GW 255.255.255.0
!
interface Vlan2
 description _Fort_Worth_WAN
 nameif outside
 security-level 0
 ip address WAN_IP 255.255.255.248
!
interface Ethernet0/0
 description Outside_Physical_Interface
 switchport access vlan 2
!
interface Ethernet0/1
 description Inside_Physical_Interface
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
clock timezone EST -6
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DALLAS-DNS
 name-server 12.127.17.71
 name-server 12.127.17.72
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list TYLER-VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list AUSTIN-GEORGETOWN-VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list FORT-WORTH-VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list HUB-VPN extended permit ip 192.168.1.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list outside-in extended permit tcp any host x.x.16.19 eq https
access-list outside-in extended permit tcp any host x.x.16.19 eq www
access-list outside-in extended permit tcp any host x.x.16.19 eq 987
access-list outside-in extended permit tcp any host x.x.16.19 eq smtp
access-list outside-in extended permit udp any host x.x.16.19 eq sip
access-list outside-in extended permit tcp any host x.x.16.19 eq 4125
access-list outside-in extended permit tcp any host x.x.16.19 eq 67
access-list outside-in extended permit tcp any host x.x.16.20 eq www
access-list outside-in extended permit tcp any host x.x.16.20 eq ident
access-list outside-in extended permit tcp any host x.x.16.20 eq 68
access-list outside-in extended permit udp any host x.x.16.20 eq bootps
access-list outside-in extended permit tcp any host x.x.16.20 eq 67
access-list outside-in extended permit tcp any host x.x.16.19 eq 220
access-list outside-in extended permit tcp any any eq ftp-data
access-list outside-in extended permit tcp any any eq ftp
access-list Split_Tunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1404
ip local pool DALLAS-IP 192.168.1.55-192.168.1.61 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 dns
static (inside,outside) x.x.16.19 192.168.1.241 netmask 255.255.255.255 dns
static (inside,outside) x.x.16.20 192.168.1.130 netmask 255.255.255.255 dns
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.16.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication secure-http-client
http server enable
http 192.168.1.0 255.255.255.0 inside
http x.x.192.0 255.255.240.0 outside
snmp-server host outside Orion_Ext community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DALLAS-RA-DYN 5 set transform-set ESP-3DES-MD5
crypto dynamic-map DALLAS-RA-DYN 5 set security-association lifetime seconds 28800
crypto dynamic-map DALLAS-RA-DYN 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map DALLAS-RA-DYN 5 set reverse-route
crypto map VPN 10 match address AUSTIN-GEORGETOWN-VPN
crypto map VPN 10 set peer AUSTIN-GEORGETOWN
crypto map VPN 10 set transform-set ESP-3DES-SHA
crypto map VPN 10 set security-association lifetime seconds 43200
crypto map VPN 10 set security-association lifetime kilobytes 4608000
crypto map VPN 20 match address FORT-WORTH-VPN
crypto map VPN 20 set peer FORT-WORTH
crypto map VPN 20 set transform-set ESP-3DES-MD5
crypto map VPN 20 set security-association lifetime seconds 28800
crypto map VPN 20 set security-association lifetime kilobytes 4608000
crypto map VPN 30 match address TYLER-VPN
crypto map VPN 30 set peer TYLER
crypto map VPN 30 set transform-set ESP-3DES-MD5
crypto map VPN 30 set security-association lifetime seconds 43200
crypto map VPN 30 set security-association lifetime kilobytes 4608000
crypto map VPN 30 set phase1-mode aggressive
crypto map VPN 40 match address MATRIX-VPN
crypto map VPN 40 set peer Matrix-ASA
crypto map VPN 40 set transform-set ESP-3DES-MD5
crypto map VPN 40 set security-association lifetime seconds 28800
crypto map VPN 40 set security-association lifetime kilobytes 4608000
crypto map VPN 50 ipsec-isakmp dynamic DALLAS-RA-DYN
crypto map VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 43200
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh x.x.204.2 255.255.255.255 outside
ssh Rancid_Pub 255.255.255.255 outside
ssh x.x.192.0 255.255.240.0 outside
ssh timeout 20
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GYPSUM-DALLAS internal
group-policy GYPSUM-DALLAS attributes
 dns-server value 192.168.1.241
 vpn-idle-timeout 15
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel
 default-domain value gsl.local
username chip password e2GN4bAXCXhxr9mH encrypted privilege 0
username matrix password JQyslF4czTpWR12W encrypted privilege 15
tunnel-group x.x.12.50 type ipsec-l2l
tunnel-group x.x.12.50 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.101.186 type ipsec-l2l
tunnel-group x.x.101.186 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.10.14 type ipsec-l2l
tunnel-group x.x.10.14 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.192.70 type ipsec-l2l
tunnel-group x.x.192.70 ipsec-attributes
 pre-shared-key *
tunnel-group DALLAS type remote-access
tunnel-group DALLAS general-attributes
 address-pool DALLAS-IP
 default-group-policy GYPSUM-DALLAS
tunnel-group DALLAS ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 30 retry 5
!
!
prompt hostname context
Cryptochecksum:a6c1ec8c9e124f4ffe9cb993a887fc22
: end

ASKER CERTIFIED SOLUTION
chipsch

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros