Announcement

Collapse
No announcement yet.

VPN Tunnel issue with ASA5510 and Sonicawall

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Tunnel issue with ASA5510 and Sonicawall

    Hi all,

    I've been struggling to get this to work.

    I've finally got the VPN tunnel up.

    From the ASA local network I can ping the other side no problem.

    However from the Sonicwall network I cannot ping anything on ASA side.

    What would I be missing? As far as I know I've allowed everything on both side.

    I've also noticed that I cannot ping from LAN interface on the ASA to the Sonicwall network.

    Any help would be great.

  • #2
    Re: VPN Tunnel issue with ASA5510 and Sonicawall

    What does your crypto access-list look like on the ASA? In other words what traffic is deemed "interesting" and then encrypted and sent over the tunnel? If the source and destination doesn't match the crypto acl then it wont be encrypted. Also are you doing nat on the ASA? If so you may need nat exemption configured to not nat traffic destined for the tunnel.



    show crypto ipsec sa (This will show you your ipsec sa's and the negotiated parameters and also if traffic is being encrypted/decrypted)
    Last edited by auglan; 28th August 2012, 13:32.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: VPN Tunnel issue with ASA5510 and Sonicawall

      How is the VPN tunnel setup on the SonicWALL??

      It should by all accounts add the relevant firewall rules for you but you may want to check.

      Can you post your config for your SonicWALL??

      Comment


      • #4
        Re: VPN Tunnel issue with ASA5510 and Sonicawall

        Originally posted by auglan View Post
        What does your crypto access-list look like on the ASA? In other words what traffic is deemed "interesting" and then encrypted and sent over the tunnel? If the source and destination doesn't match the crypto acl then it wont be encrypted. Also are you doing nat on the ASA? If so you may need nat exemption configured to not nat traffic destined for the tunnel.



        show crypto ipsec sa (This will show you your ipsec sa's and the negotiated parameters and also if traffic is being encrypted/decrypted)
        here are the result:

        Crypto map tag: WAN_map, seq num: 4, local addr: 111.1.16.178

        access-list WAN_cryptomap_3 extended permit ip 172.16.4.0 255.255.255.0 10.10.11.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
        current_peer: 10.12.23.2

        #pkts encaps: 65692, #pkts encrypt: 65693, #pkts digest: 65693
        #pkts decaps: 68542, #pkts decrypt: 68542, #pkts verify: 68542
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 65693, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0

        local crypto endpt.: 111.1.16.178/0, remote crypto endpt.: 10.12.23.2/0
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: 960B6F49
        current inbound spi : 4AF912A3

        inbound esp sas:
        spi: 0x4AF912A3 (1257837219)
        transform: esp-3des esp-sha-hmac no compression
        in use settings ={L2L, Tunnel, PFS Group 2, }
        slot: 0, conn_id: 1994752, crypto-map: WAN_map
        sa timing: remaining key lifetime (kB/sec): (4373317/17885)
        IV size: 8 bytes
        replay detection support: Y
        Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
        spi: 0x960B6F49 (2517331785)
        transform: esp-3des esp-sha-hmac no compression
        in use settings ={L2L, Tunnel, PFS Group 2, }
        slot: 0, conn_id: 1994752, crypto-map: WAN_map
        sa timing: remaining key lifetime (kB/sec): (4373362/17884)
        IV size: 8 bytes
        replay detection support: Y
        Anti replay bitmap:
        0x00000000 0x00000001

        This is the excempt that I've got in the NAT

        access-list WAN_cryptomap_3 extended permit ip 172.16.4.0 255.255.255.0 object remote-network

        Comment


        • #5
          Re: VPN Tunnel issue with ASA5510 and Sonicawall

          Originally posted by wullieb1 View Post
          How is the VPN tunnel setup on the SonicWALL??

          It should by all accounts add the relevant firewall rules for you but you may want to check.

          Can you post your config for your SonicWALL??
          I believe that Sonicwall side should be correct as we use to have Tunnel using the Sonicawall on our side. All I did was updated the public IP and local IP on my side in the remote site's Sonicwall and recreated the VPN.

          Comment


          • #6
            Re: VPN Tunnel issue with ASA5510 and Sonicawall

            I would make sure that the crypto access lists are mirror images of each other on both sides. Also verify your nat exemption on both sides.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: VPN Tunnel issue with ASA5510 and Sonicawall

              Thanks guys~ as matter of fact I did set the VPN correctly.

              It was one of our engineer placing a 'typo' on the gateway of the device sitting on this end ... =_="

              sorry for the trouble.

              Comment


              • #8
                Re: VPN Tunnel issue with ASA5510 and Sonicawall

                Lol the easiest things will do it.

                Had problems with SonicWALL's and FortiGate devices where the encryption key has a mistype.

                Comment


                • #9
                  Re: VPN Tunnel issue with ASA5510 and Sonicawall

                  Thats the one thing with vpn's, one mistype etc.. and its game over. Glad you got it worked out.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: VPN Tunnel issue with ASA5510 and Sonicawall

                    Originally posted by auglan View Post
                    Thats the one thing with vpn's, one mistype etc.. and its game over. Glad you got it worked out.
                    Its even worse when you only control a single end of the tunnel

                    Comment

                    Working...
                    X