Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5505 Ipsec allow all traffic thru VPN?

Posted on 2013-01-30
4
Medium Priority
?
1,549 Views
Last Modified: 2013-01-31
Hello,

I have an ipsec vpn established from a cisco ASA 5505 to a sonicwall tz 210, but it seems that it's blocking RPC traffic from the ASA LAN side to the Sonicwall Lan side.  How can I configure to allow all traffic? Newbie to Cisco ASA,  but I've established Sonicwall to Sonicwall ipsec vpn with no problems before.  Attached is my running config from the ASA 5505.

Thank you for your help,
Danny
asaconfig.txt
0
Comment
Question by:dancomputerman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38838059
Nothing appears to be blocking rdp, but traffic would be limited to a source of 10.186.56.0/24 and destination of 10.10.1.0/24. The limit is due to nonat and crypto acl.
0
 

Author Comment

by:dancomputerman
ID: 38839802
Somewhat makes sense, although I'm a newbie to Cisco. Basically I'm trying to get replication going between domain controllers located on each side of the site-to-site VPN, and I think that the Cisco ASA 5505 is blocking bi-derectional communication between the 2 sites. Are there a few commands that I can implement to allow all traffic from site A (10.10.56.0/24) to site B (10.10.1.0/24)  and vise-versa?
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 38839919
access-list outside_1_cryptomap extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0


Adding the above lines will allow that traffic on the tunnel and also exempt that traffic from being natted. Both sets of traffic need to be allowed on the Sonicwall as well for this to work.

When it comes to a site-to-site VPN, bi-directional traffic isn't a good term because each firewall can really only control one direction. So if you have two firewalls that are both configured to send the same (mirrored) traffic, you end up with bi-directional communication. Once a firewall sends traffic down a tunnel it will always allow the return traffic, but it is up to the other end to send it back. This is why it is crucial to have the crypto ACL match exactly on each end as a mirror image so that

FW1 crypto acl: 10.10.56.0/24 --> 10.10.1.0/24
sends traffic one direction
FW2 crypto acl: 10.10.1.0/24 --> 10.10.56.0/24
sends traffic one direction
Combined they have bi-directional traffic.

You will also need to pay attention to routing as you have a bit of overlap occurring. Currently you have a route
route inside companyHQ 255.0.0.0 10.186.56.1
which covers the entire 10.0.0.0/8 network, but in reality there is at least one route within that range which should go the opposite direction - the vpn tunnel subnet of 10.10.1.0/24. It shouldn't be a problem as long as the rest of then network knows where to point traffic for that subnet since I believe the crypto rules override the route statement. For good measure, you may want to add the command
route outside 10.10.1.0 255.255.255.0 76.127.241.249
just to make sure the firewall never tries to hairpin that traffic back in to your network (unless you actually have a secondary method of getting to that network through the inside interface).
0
 

Author Closing Comment

by:dancomputerman
ID: 38840289
Excellent, That worked perfectly!!! and it fixed the Replication between the DCs. Thank you :-)
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question