Solved

Cisco ASA 5505 Ipsec allow all traffic thru VPN?

Posted on 2013-01-30
4
1,452 Views
Last Modified: 2013-01-31
Hello,

I have an ipsec vpn established from a cisco ASA 5505 to a sonicwall tz 210, but it seems that it's blocking RPC traffic from the ASA LAN side to the Sonicwall Lan side.  How can I configure to allow all traffic? Newbie to Cisco ASA,  but I've established Sonicwall to Sonicwall ipsec vpn with no problems before.  Attached is my running config from the ASA 5505.

Thank you for your help,
Danny
asaconfig.txt
0
Comment
Question by:dancomputerman
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38838059
Nothing appears to be blocking rdp, but traffic would be limited to a source of 10.186.56.0/24 and destination of 10.10.1.0/24. The limit is due to nonat and crypto acl.
0
 

Author Comment

by:dancomputerman
ID: 38839802
Somewhat makes sense, although I'm a newbie to Cisco. Basically I'm trying to get replication going between domain controllers located on each side of the site-to-site VPN, and I think that the Cisco ASA 5505 is blocking bi-derectional communication between the 2 sites. Are there a few commands that I can implement to allow all traffic from site A (10.10.56.0/24) to site B (10.10.1.0/24)  and vise-versa?
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38839919
access-list outside_1_cryptomap extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.56.0 255.255.255.0 10.10.1.0 255.255.255.0


Adding the above lines will allow that traffic on the tunnel and also exempt that traffic from being natted. Both sets of traffic need to be allowed on the Sonicwall as well for this to work.

When it comes to a site-to-site VPN, bi-directional traffic isn't a good term because each firewall can really only control one direction. So if you have two firewalls that are both configured to send the same (mirrored) traffic, you end up with bi-directional communication. Once a firewall sends traffic down a tunnel it will always allow the return traffic, but it is up to the other end to send it back. This is why it is crucial to have the crypto ACL match exactly on each end as a mirror image so that

FW1 crypto acl: 10.10.56.0/24 --> 10.10.1.0/24
sends traffic one direction
FW2 crypto acl: 10.10.1.0/24 --> 10.10.56.0/24
sends traffic one direction
Combined they have bi-directional traffic.

You will also need to pay attention to routing as you have a bit of overlap occurring. Currently you have a route
route inside companyHQ 255.0.0.0 10.186.56.1
which covers the entire 10.0.0.0/8 network, but in reality there is at least one route within that range which should go the opposite direction - the vpn tunnel subnet of 10.10.1.0/24. It shouldn't be a problem as long as the rest of then network knows where to point traffic for that subnet since I believe the crypto rules override the route statement. For good measure, you may want to add the command
route outside 10.10.1.0 255.255.255.0 76.127.241.249
just to make sure the firewall never tries to hairpin that traffic back in to your network (unless you actually have a secondary method of getting to that network through the inside interface).
0
 

Author Closing Comment

by:dancomputerman
ID: 38840289
Excellent, That worked perfectly!!! and it fixed the Replication between the DCs. Thank you :-)
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA AnyConnect tunneling 3 32
OpenVPN Speed limitation to only 10 mbps 7 97
SBS 2008 cannot logon remotely 7 47
CISCO Smartnet agreement 5 10
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now