Cisco ASA 5505 site-to-site to Sonicwall Hub and Spoke, No Internet Locally

Answered Question
Sep 21st, 2007

Here is my setup:

I have a Sonicwall setup as the hub where all the vpn's connect to. I have a new Cisco ASA 5505 connected to the sonicwall with no problem. The tunnel works great. But there is no internet access going out of the same Cisco ASA firewall. I want the internet to go out of the ASA. I tried several things but they didn't work. And all the documents I've been reading don't seam to cover what I want.

Just to make it more clear. Right now I have the sonicwall as the hub in Miami. In Chicago, I have a the Cisco ASA. I want the chicago people to be able to access the internet via their ASA and also, of course able to access the servers down in Miami like they can now.

I tried split tunnel but it doesn't seem to work. I have a feeling Im missing something so simple. Can anyone help? This is in a testing environement. Thanks.

I have this problem too.
0 votes
Correct Answer by whisperwind about 9 years 2 months ago

You have created an ACL entitled pixtosw that defines the traffic to be sent over the vpn tunnel to your sonic wall.

your internal lan is 192.168.222.x/24

This first line says any packet sourced from 192.168.222.x with a destination ip address of 192.168.40x go through the tunnel

access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 192.168.40.0 255.255.255.0

The second line says any packet with a source ip address of 192.168.222.x and a destination of any place go over the tunnel.

access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 any

take the second line out and see what happens

A couple of suggestions on your other ACLs

access-list outside_access_in extended permit ip any any

Delete the outside_access_in ACL as you are telling the ASA to allow EVERYTHING into your internal network, not good.

access-list inside_access_out extended permit ip any any

By default any connection originating on the inside of your asa will be permitted out, thus this ACL is not needed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
whisperwind Fri, 09/21/2007 - 07:10

You have created an ACL entitled pixtosw that defines the traffic to be sent over the vpn tunnel to your sonic wall.

your internal lan is 192.168.222.x/24

This first line says any packet sourced from 192.168.222.x with a destination ip address of 192.168.40x go through the tunnel

access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 192.168.40.0 255.255.255.0

The second line says any packet with a source ip address of 192.168.222.x and a destination of any place go over the tunnel.

access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 any

take the second line out and see what happens

A couple of suggestions on your other ACLs

access-list outside_access_in extended permit ip any any

Delete the outside_access_in ACL as you are telling the ASA to allow EVERYTHING into your internal network, not good.

access-list inside_access_out extended permit ip any any

By default any connection originating on the inside of your asa will be permitted out, thus this ACL is not needed.

guy.maxwell Fri, 09/21/2007 - 07:33

Thanks a lot whisperwind. I was going to get rid of those other ACL's. It was just me going crazy and trying anything. I didn't see that second line though with the any. I believe I was following an article and they had me put that in there. But now it's all good. Thanks once again.

whisperwind Fri, 09/21/2007 - 10:06

Glad it helped Guy, and your not the first to miss a line of code....

Have a nice weekend

Actions

This Discussion