ASA 5505 Site to Site Sonicwall

Trying to connect an ASA to a sonicwall. The site to site establishes but i cannot pass any traffic. Any help would be great. i tried everything and i am sure i missing something simple.
ASA Version 8.2(5)
!
hostname Acg-fw-01
domain-name acg.local
enable password jqewL0ftOWzFHEf9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address Y.Y.Y.Y 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Z.Z.Z.Z 255.255.255.240
!
ftp mode passive
dns server-group DefaultDNS
 domain-name acg.local
object-group service PBX tcp
 port-object eq sip
 port-object eq https
object-group service PBX-UDP udp
 port-object eq sip
 port-object range 10000 20000
object-group service SBS tcp
 port-object eq smtp
 port-object eq https
 port-object eq 220
 port-object eq imap4
 port-object eq pop3
 port-object eq 3389
 port-object eq 4125
 port-object eq 444
 port-object eq www
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host Z.Z.Z.4 object-group PBX
access-list outside_access_in extended permit udp any host Z.Z.Z.4 object-group PBX-UDP
access-list outside_access_in extended permit tcp any host Z.Z.Z.5 object-group SBS
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list acg_split_tunnel standard permit 10.0.1.0 255.255.255.0
access-list NONAT extended permit ip any 10.0.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn_ips 10.0.10.1-10.0.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) Z.Z.Z.4 10.0.1.253 netmask 255.255.255.255
static (inside,outside) Z.Z.Z.5 10.0.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Z.Z.Z.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set ESP-3DES-SHA
crypto dynamic-map DYN_MAP 30 set transform-set ESP-3DES-SHA
crypto map SITELINKS 10 match address inside_nat0_outbound
crypto map SITELINKS 10 set pfs
crypto map SITELINKS 10 set peer b.b.b.b
crypto map SITELINKS 10 set transform-set ESP-3DES-SHA
crypto map SITELINKS 20 match address inside_nat0_outbound
crypto map SITELINKS 20 set pfs
crypto map SITELINKS 20 set peer A.A.A.A
crypto map SITELINKS 20 set transform-set ESP-3DES-SHA
crypto map SITELINKS 30 ipsec-isakmp dynamic DYN_MAP
crypto map SITELINKS interface outside
crypto map outside_map 10 match address inside_nat0_outbound
crypto map outside_map 10 set connection-type originate-only
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy ACG-VPN internal
group-policy ACG-VPN attributes
 dns-server value 10.0.1.2 4.2.2.3
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acg_split_tunnel
 default-domain value acg.local

tunnel-group b.b.b.b type ipsec-l2l
tunnel-group b.b.b.b ipsec-attributes
 pre-shared-key *****
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a ipsec-attributes
 pre-shared-key *****
tunnel-group acg-hq type remote-access
tunnel-group acg-hq general-attributes
 address-pool vpn_ips
 default-group-policy ACG-VPN
tunnel-group acg-hq ipsec-attributes
 pre-shared-key *****
!
class-map inspection
class-map inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:520b0499bbded272e7d879c777861f25
: end

Open in new window

matt2008Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kamsujCommented:
Hi,

Can you paste show crypto isakmp and show crypto ipsec?
0
Pete LongTechnical ConsultantCommented:
I wrote this a while back it might help


Site to Site IPSEC VPN from SonicWALL to Cisco ASA

Pete
0
matt2008Author Commented:
Crypto map tag: DYN_MAP, seq num: 10, local addr: z.z.z.z
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.10.1/255.255.255.255/0/0)
      current_peer: b.b.b.b, username: allison
      dynamic allocated peer ip: 10.0.10.1

      #pkts encaps: 66487, #pkts encrypt: 66487, #pkts digest: 66487
      #pkts decaps: 52101, #pkts decrypt: 52101, #pkts verify: 52101
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 66487, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: z.z.z.z/4500, remote crypto endpt.: b.b.b.b/36018
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: BAB9E90C
      current inbound spi : E9DD12C6

    inbound esp sas:
      spi: 0xE9DD12C6 (3923579590)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 2846720, crypto-map: DYN_MAP
         sa timing: remaining key lifetime (sec): 20242
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFBFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xBAB9E90C (3132745996)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 2846720, crypto-map: DYN_MAP
         sa timing: remaining key lifetime (sec): 20242
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SITELINKS, seq num: 10, local addr: z.z.z.z
      access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.4.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.4.0/255.255.255.0/0/0)
      current_peer: 65.89.69.114

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 22217, #pkts decrypt: 22217, #pkts verify: 22217
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: Z.z.z.z, remote crypto endpt.: b.b.b.b
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: A03EF475
      current inbound spi : E6B9F974

    inbound esp sas:
      spi: 0xE6B9F974 (3870947700)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 2838528, crypto-map: SITELINKS
         sa timing: remaining key lifetime (kB/sec): (4371230/17752)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xA03EF475 (2688480373)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 2838528, crypto-map: SITELINKS
         sa timing: remaining key lifetime (kB/sec): (4374000/17752)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
0
davebartlett123Commented:
I would suggest the following configuration:

Create crypto map access-list:

access-list SW-VPN ext perm ip your_network your_mask remote_network remote_mask

Create NAT exclusion access-list:

access-list SW-VPN-No-NAT ext perm ip your_network your_mask remote_network remote_mask
nat (inside) 0 access-list SW-VPN-No-NAT

Configure crypto map:

crypto map SITELINKS 10 match address SW-VPN
crypto map SITELINKS 10 set peer your_sonicwall_peer_ip
crypto map SITELINKS 10 set transform-set ESP-3DES-SHA
crypto map SITELINKS 10 set security-association lifetime seconds same_as_sonicwall
crypto map SITELINKS 10 set security-association lifetime kilobytes same_as_sonicwall

Configure Tunnel Group
tunnel-group your_sonicwall_peer_ip type ipsec-l2l
tunnel-group your_sonicwall_peer_ip ipsec-attributes
pre-shared-key same_as_sonicwall

As long as your phase 1 isakmp agreement is the same as the sonicwall you should be good to go!

Give it a go.....
0
shareditCommented:
I would not advise you to change your nat 0  ACL,  instead I would advise you to look and see what ACL you are using to define NAT exempt traffic.

that acl is... nat (inside) 0 access-list NONAT

if you change your acl here, everything currently being exempt would not work.  Your VPN pool is exempt.

as Dave has described above, you will create an ACL that defines the traffic for the VPN, and you will add the exact same ACL statements the the NONAT ACL. match the vpn specific ACL in the crypto map.


For each vpn, you have two l2l defined:
your network - 1.1.1.0
VPN1 network - 2.2.2.0
VPN2 network - 3.3.3.0


access-list SW-VPN1 extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

access-list SW-VPN2 extended permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0

access-list NONAT extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list NONAT extended permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.