Cisco ASA 5505 site-to-site to Sonicwall Hub and Spoke, No Internet Locally

Answered Question
Sep 21st, 2007
User Badges:

Here is my setup:


I have a Sonicwall setup as the hub where all the vpn's connect to. I have a new Cisco ASA 5505 connected to the sonicwall with no problem. The tunnel works great. But there is no internet access going out of the same Cisco ASA firewall. I want the internet to go out of the ASA. I tried several things but they didn't work. And all the documents I've been reading don't seam to cover what I want.


Just to make it more clear. Right now I have the sonicwall as the hub in Miami. In Chicago, I have a the Cisco ASA. I want the chicago people to be able to access the internet via their ASA and also, of course able to access the servers down in Miami like they can now.


I tried split tunnel but it doesn't seem to work. I have a feeling Im missing something so simple. Can anyone help? This is in a testing environement. Thanks.



Correct Answer by whisperwind about 9 years 8 months ago

You have created an ACL entitled pixtosw that defines the traffic to be sent over the vpn tunnel to your sonic wall.


your internal lan is 192.168.222.x/24


This first line says any packet sourced from 192.168.222.x with a destination ip address of 192.168.40x go through the tunnel


access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 192.168.40.0 255.255.255.0


The second line says any packet with a source ip address of 192.168.222.x and a destination of any place go over the tunnel.


access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 any


take the second line out and see what happens


A couple of suggestions on your other ACLs


access-list outside_access_in extended permit ip any any


Delete the outside_access_in ACL as you are telling the ASA to allow EVERYTHING into your internal network, not good.


access-list inside_access_out extended permit ip any any


By default any connection originating on the inside of your asa will be permitted out, thus this ACL is not needed.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
whisperwind Fri, 09/21/2007 - 07:10
User Badges:

You have created an ACL entitled pixtosw that defines the traffic to be sent over the vpn tunnel to your sonic wall.


your internal lan is 192.168.222.x/24


This first line says any packet sourced from 192.168.222.x with a destination ip address of 192.168.40x go through the tunnel


access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 192.168.40.0 255.255.255.0


The second line says any packet with a source ip address of 192.168.222.x and a destination of any place go over the tunnel.


access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 any


take the second line out and see what happens


A couple of suggestions on your other ACLs


access-list outside_access_in extended permit ip any any


Delete the outside_access_in ACL as you are telling the ASA to allow EVERYTHING into your internal network, not good.


access-list inside_access_out extended permit ip any any


By default any connection originating on the inside of your asa will be permitted out, thus this ACL is not needed.



guy.maxwell Fri, 09/21/2007 - 07:33
User Badges:

Thanks a lot whisperwind. I was going to get rid of those other ACL's. It was just me going crazy and trying anything. I didn't see that second line though with the any. I believe I was following an article and they had me put that in there. But now it's all good. Thanks once again.

whisperwind Fri, 09/21/2007 - 10:06
User Badges:

Glad it helped Guy, and your not the first to miss a line of code....


Have a nice weekend

Actions

This Discussion