Cisco ASA 5505 site-to-site to Sonicwall Hub and Spoke, No Internet Locally

Answered Question
Sep 21st, 2007
User Badges:

Here is my setup:


I have a Sonicwall setup as the hub where all the vpn's connect to. I have a new Cisco ASA 5505 connected to the sonicwall with no problem. The tunnel works great. But there is no internet access going out of the same Cisco ASA firewall. I want the internet to go out of the ASA. I tried several things but they didn't work. And all the documents I've been reading don't seam to cover what I want.


Just to make it more clear. Right now I have the sonicwall as the hub in Miami. In Chicago, I have a the Cisco ASA. I want the chicago people to be able to access the internet via their ASA and also, of course able to access the servers down in Miami like they can now.


I tried split tunnel but it doesn't seem to work. I have a feeling Im missing something so simple. Can anyone help? This is in a testing environement. Thanks.



Correct Answer by whisperwind about 9 years 10 months ago

You have created an ACL entitled pixtosw that defines the traffic to be sent over the vpn tunnel to your sonic wall.


your internal lan is 192.168.222.x/24


This first line says any packet sourced from 192.168.222.x with a destination ip address of 192.168.40x go through the tunnel


access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 192.168.40.0 255.255.255.0


The second line says any packet with a source ip address of 192.168.222.x and a destination of any place go over the tunnel.


access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 any


take the second line out and see what happens


A couple of suggestions on your other ACLs


access-list outside_access_in extended permit ip any any


Delete the outside_access_in ACL as you are telling the ASA to allow EVERYTHING into your internal network, not good.


access-list inside_access_out extended permit ip any any


By default any connection originating on the inside of your asa will be permitted out, thus this ACL is not needed.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
whisperwind Fri, 09/21/2007 - 07:10
User Badges:

You have created an ACL entitled pixtosw that defines the traffic to be sent over the vpn tunnel to your sonic wall.


your internal lan is 192.168.222.x/24


This first line says any packet sourced from 192.168.222.x with a destination ip address of 192.168.40x go through the tunnel


access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 192.168.40.0 255.255.255.0


The second line says any packet with a source ip address of 192.168.222.x and a destination of any place go over the tunnel.


access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 any


take the second line out and see what happens


A couple of suggestions on your other ACLs


access-list outside_access_in extended permit ip any any


Delete the outside_access_in ACL as you are telling the ASA to allow EVERYTHING into your internal network, not good.


access-list inside_access_out extended permit ip any any


By default any connection originating on the inside of your asa will be permitted out, thus this ACL is not needed.



guy.maxwell Fri, 09/21/2007 - 07:33
User Badges:

Thanks a lot whisperwind. I was going to get rid of those other ACL's. It was just me going crazy and trying anything. I didn't see that second line though with the any. I believe I was following an article and they had me put that in there. But now it's all good. Thanks once again.

whisperwind Fri, 09/21/2007 - 10:06
User Badges:

Glad it helped Guy, and your not the first to miss a line of code....


Have a nice weekend

Actions

This Discussion