Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5505 Ipsec allow all traffic thru VPN?

Posted on 2013-01-30
4
Medium Priority
?
1,565 Views
Last Modified: 2013-01-31
Hello,

I have an ipsec vpn established from a cisco ASA 5505 to a sonicwall tz 210, but it seems that it's blocking RPC traffic from the ASA LAN side to the Sonicwall Lan side.  How can I configure to allow all traffic? Newbie to Cisco ASA,  but I've established Sonicwall to Sonicwall ipsec vpn with no problems before.  Attached is my running config from the ASA 5505.

Thank you for your help,
Danny
asaconfig.txt
0
Comment
Question by:dancomputerman
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38838059
Nothing appears to be blocking rdp, but traffic would be limited to a source of 10.186.56.0/24 and destination of 10.10.1.0/24. The limit is due to nonat and crypto acl.
0
 

Author Comment

by:dancomputerman
ID: 38839802
Somewhat makes sense, although I'm a newbie to Cisco. Basically I'm trying to get replication going between domain controllers located on each side of the site-to-site VPN, and I think that the Cisco ASA 5505 is blocking bi-derectional communication between the 2 sites. Are there a few commands that I can implement to allow all traffic from site A (10.10.56.0/24) to site B (10.10.1.0/24)  and vise-versa?
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 38839919
access-list outside_1_cryptomap extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0


Adding the above lines will allow that traffic on the tunnel and also exempt that traffic from being natted. Both sets of traffic need to be allowed on the Sonicwall as well for this to work.

When it comes to a site-to-site VPN, bi-directional traffic isn't a good term because each firewall can really only control one direction. So if you have two firewalls that are both configured to send the same (mirrored) traffic, you end up with bi-directional communication. Once a firewall sends traffic down a tunnel it will always allow the return traffic, but it is up to the other end to send it back. This is why it is crucial to have the crypto ACL match exactly on each end as a mirror image so that

FW1 crypto acl: 10.10.56.0/24 --> 10.10.1.0/24
sends traffic one direction
FW2 crypto acl: 10.10.1.0/24 --> 10.10.56.0/24
sends traffic one direction
Combined they have bi-directional traffic.

You will also need to pay attention to routing as you have a bit of overlap occurring. Currently you have a route
route inside companyHQ 255.0.0.0 10.186.56.1
which covers the entire 10.0.0.0/8 network, but in reality there is at least one route within that range which should go the opposite direction - the vpn tunnel subnet of 10.10.1.0/24. It shouldn't be a problem as long as the rest of then network knows where to point traffic for that subnet since I believe the crypto rules override the route statement. For good measure, you may want to add the command
route outside 10.10.1.0 255.255.255.0 76.127.241.249
just to make sure the firewall never tries to hairpin that traffic back in to your network (unless you actually have a secondary method of getting to that network through the inside interface).
0
 

Author Closing Comment

by:dancomputerman
ID: 38840289
Excellent, That worked perfectly!!! and it fixed the Replication between the DCs. Thank you :-)
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
#Citrix #Netscaler #MSSQL #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question