Solved

Cisco ASA 5505 Ipsec allow all traffic thru VPN?

Posted on 2013-01-30
4
1,432 Views
Last Modified: 2013-01-31
Hello,

I have an ipsec vpn established from a cisco ASA 5505 to a sonicwall tz 210, but it seems that it's blocking RPC traffic from the ASA LAN side to the Sonicwall Lan side.  How can I configure to allow all traffic? Newbie to Cisco ASA,  but I've established Sonicwall to Sonicwall ipsec vpn with no problems before.  Attached is my running config from the ASA 5505.

Thank you for your help,
Danny
asaconfig.txt
0
Comment
Question by:dancomputerman
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38838059
Nothing appears to be blocking rdp, but traffic would be limited to a source of 10.186.56.0/24 and destination of 10.10.1.0/24. The limit is due to nonat and crypto acl.
0
 

Author Comment

by:dancomputerman
ID: 38839802
Somewhat makes sense, although I'm a newbie to Cisco. Basically I'm trying to get replication going between domain controllers located on each side of the site-to-site VPN, and I think that the Cisco ASA 5505 is blocking bi-derectional communication between the 2 sites. Are there a few commands that I can implement to allow all traffic from site A (10.10.56.0/24) to site B (10.10.1.0/24)  and vise-versa?
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38839919
access-list outside_1_cryptomap extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0


Adding the above lines will allow that traffic on the tunnel and also exempt that traffic from being natted. Both sets of traffic need to be allowed on the Sonicwall as well for this to work.

When it comes to a site-to-site VPN, bi-directional traffic isn't a good term because each firewall can really only control one direction. So if you have two firewalls that are both configured to send the same (mirrored) traffic, you end up with bi-directional communication. Once a firewall sends traffic down a tunnel it will always allow the return traffic, but it is up to the other end to send it back. This is why it is crucial to have the crypto ACL match exactly on each end as a mirror image so that

FW1 crypto acl: 10.10.56.0/24 --> 10.10.1.0/24
sends traffic one direction
FW2 crypto acl: 10.10.1.0/24 --> 10.10.56.0/24
sends traffic one direction
Combined they have bi-directional traffic.

You will also need to pay attention to routing as you have a bit of overlap occurring. Currently you have a route
route inside companyHQ 255.0.0.0 10.186.56.1
which covers the entire 10.0.0.0/8 network, but in reality there is at least one route within that range which should go the opposite direction - the vpn tunnel subnet of 10.10.1.0/24. It shouldn't be a problem as long as the rest of then network knows where to point traffic for that subnet since I believe the crypto rules override the route statement. For good measure, you may want to add the command
route outside 10.10.1.0 255.255.255.0 76.127.241.249
just to make sure the firewall never tries to hairpin that traffic back in to your network (unless you actually have a secondary method of getting to that network through the inside interface).
0
 

Author Closing Comment

by:dancomputerman
ID: 38840289
Excellent, That worked perfectly!!! and it fixed the Replication between the DCs. Thank you :-)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now