Solved

Cisco ASA 5505 Ipsec allow all traffic thru VPN?

Posted on 2013-01-30
4
1,471 Views
Last Modified: 2013-01-31
Hello,

I have an ipsec vpn established from a cisco ASA 5505 to a sonicwall tz 210, but it seems that it's blocking RPC traffic from the ASA LAN side to the Sonicwall Lan side.  How can I configure to allow all traffic? Newbie to Cisco ASA,  but I've established Sonicwall to Sonicwall ipsec vpn with no problems before.  Attached is my running config from the ASA 5505.

Thank you for your help,
Danny
asaconfig.txt
0
Comment
Question by:dancomputerman
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38838059
Nothing appears to be blocking rdp, but traffic would be limited to a source of 10.186.56.0/24 and destination of 10.10.1.0/24. The limit is due to nonat and crypto acl.
0
 

Author Comment

by:dancomputerman
ID: 38839802
Somewhat makes sense, although I'm a newbie to Cisco. Basically I'm trying to get replication going between domain controllers located on each side of the site-to-site VPN, and I think that the Cisco ASA 5505 is blocking bi-derectional communication between the 2 sites. Are there a few commands that I can implement to allow all traffic from site A (10.10.56.0/24) to site B (10.10.1.0/24)  and vise-versa?
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38839919
access-list outside_1_cryptomap extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0


Adding the above lines will allow that traffic on the tunnel and also exempt that traffic from being natted. Both sets of traffic need to be allowed on the Sonicwall as well for this to work.

When it comes to a site-to-site VPN, bi-directional traffic isn't a good term because each firewall can really only control one direction. So if you have two firewalls that are both configured to send the same (mirrored) traffic, you end up with bi-directional communication. Once a firewall sends traffic down a tunnel it will always allow the return traffic, but it is up to the other end to send it back. This is why it is crucial to have the crypto ACL match exactly on each end as a mirror image so that

FW1 crypto acl: 10.10.56.0/24 --> 10.10.1.0/24
sends traffic one direction
FW2 crypto acl: 10.10.1.0/24 --> 10.10.56.0/24
sends traffic one direction
Combined they have bi-directional traffic.

You will also need to pay attention to routing as you have a bit of overlap occurring. Currently you have a route
route inside companyHQ 255.0.0.0 10.186.56.1
which covers the entire 10.0.0.0/8 network, but in reality there is at least one route within that range which should go the opposite direction - the vpn tunnel subnet of 10.10.1.0/24. It shouldn't be a problem as long as the rest of then network knows where to point traffic for that subnet since I believe the crypto rules override the route statement. For good measure, you may want to add the command
route outside 10.10.1.0 255.255.255.0 76.127.241.249
just to make sure the firewall never tries to hairpin that traffic back in to your network (unless you actually have a secondary method of getting to that network through the inside interface).
0
 

Author Closing Comment

by:dancomputerman
ID: 38840289
Excellent, That worked perfectly!!! and it fixed the Replication between the DCs. Thank you :-)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 140
Internet Protocol Security question 3 71
How to safely test out TFTP server software 12 64
IPSec Site to Site VPN Topology 6 23
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question