09-21-2007 06:30 AM - edited 03-11-2019 04:14 AM
Here is my setup:
I have a Sonicwall setup as the hub where all the vpn's connect to. I have a new Cisco ASA 5505 connected to the sonicwall with no problem. The tunnel works great. But there is no internet access going out of the same Cisco ASA firewall. I want the internet to go out of the ASA. I tried several things but they didn't work. And all the documents I've been reading don't seam to cover what I want.
Just to make it more clear. Right now I have the sonicwall as the hub in Miami. In Chicago, I have a the Cisco ASA. I want the chicago people to be able to access the internet via their ASA and also, of course able to access the servers down in Miami like they can now.
I tried split tunnel but it doesn't seem to work. I have a feeling Im missing something so simple. Can anyone help? This is in a testing environement. Thanks.
Solved! Go to Solution.
09-21-2007 07:10 AM
You have created an ACL entitled pixtosw that defines the traffic to be sent over the vpn tunnel to your sonic wall.
your internal lan is 192.168.222.x/24
This first line says any packet sourced from 192.168.222.x with a destination ip address of 192.168.40x go through the tunnel
access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 192.168.40.0 255.255.255.0
The second line says any packet with a source ip address of 192.168.222.x and a destination of any place go over the tunnel.
access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 any
take the second line out and see what happens
A couple of suggestions on your other ACLs
access-list outside_access_in extended permit ip any any
Delete the outside_access_in ACL as you are telling the ASA to allow EVERYTHING into your internal network, not good.
access-list inside_access_out extended permit ip any any
By default any connection originating on the inside of your asa will be permitted out, thus this ACL is not needed.
09-21-2007 07:10 AM
You have created an ACL entitled pixtosw that defines the traffic to be sent over the vpn tunnel to your sonic wall.
your internal lan is 192.168.222.x/24
This first line says any packet sourced from 192.168.222.x with a destination ip address of 192.168.40x go through the tunnel
access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 192.168.40.0 255.255.255.0
The second line says any packet with a source ip address of 192.168.222.x and a destination of any place go over the tunnel.
access-list pixtosw extended permit ip 192.168.222.0 255.255.255.0 any
take the second line out and see what happens
A couple of suggestions on your other ACLs
access-list outside_access_in extended permit ip any any
Delete the outside_access_in ACL as you are telling the ASA to allow EVERYTHING into your internal network, not good.
access-list inside_access_out extended permit ip any any
By default any connection originating on the inside of your asa will be permitted out, thus this ACL is not needed.
09-21-2007 07:33 AM
Thanks a lot whisperwind. I was going to get rid of those other ACL's. It was just me going crazy and trying anything. I didn't see that second line though with the any. I believe I was following an article and they had me put that in there. But now it's all good. Thanks once again.
09-21-2007 10:06 AM
Glad it helped Guy, and your not the first to miss a line of code....
Have a nice weekend
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide