cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5674
Views
0
Helpful
14
Replies

ASA5505 to Sonicwall PRO2040 aggressive mode

7b.schappel
Level 1
Level 1

I've used many SW devices to setup remote locations with Site2Site VPNs and had everything working well. I replaced one of the SW's with an ASA5505.

All of the sample configs I've seen use Main Mode (both ends have static IPs). In my case the PRO2040 is static and the ASA is DHCP.

I almost have the VPN setup but I am hitting one problem. Phase 1 completes but Phase 2 complains of a network mismatch. The log on the SW says this "IKE Responder: Peer's local network does not match VPN policy's Destination Network" ... "Proposed network: 1.2.3.4". The IP listed is the DHCP assigned IP of the outside interface on the ASA.

I've checked the settings in the cryptomap 50 times and I'm sure it's correct. The remote network is the inside network of the PRO2040. The local network is the inside network on the ASA.

Does anyone have any suggestions? If I get this working I'll post a complete HOW-TO.

14 Replies 14

7b.schappel
Level 1
Level 1

Found the problem. Everything is working with this tunnel.

Hi,

Could you tell me what have you done to fix it??

I have the same setup and the exact same poblem.

Thank you!

In my case the SonicWall had a static IP and the 5505 got its IP via DHCP. Here's the relevant config from my 5505 that works with my setup. I'm going to define some names to make things more readable.

hostname asa5505

domain-name mydomain.com

name 10.10.10.0 inside-network description Internal network on 5505

name 10.10.12.0 remote-office description Internal network on PRO2040

access-list outside_cryptomap_1 extended permit ip inside-network 255.255.255.0 remote-office 255.255.255.0

access-list outside_access_in extended permit ip remote-office 255.255.255.0 any
access-list nonat extended permit ip inside-network 255.255.255.0 remote-office 255.255.255.0
crypto map outside_map2 2 match address outside_cryptomap_1
crypto map outside_map2 2 set pfs
crypto map outside_map2 2 set peer 123.123.123.1
crypto map outside_map2 2 set transform-set ESP-3DES-SHA
crypto map outside_map2 2 set security-association lifetime seconds 3600
crypto map outside_map2 2 set nat-t-disable
crypto map outside_map2 2 set phase1-mode aggressive
crypto map outside_map2 interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
no crypto isakmp nat-traversal
tunnel-group 123.123.123.1 type ipsec-l2l
tunnel-group 123.123.123.1 ipsec-attributes
pre-shared-key YourLongAndNastyPresharedKey
isakmp keepalive disable
* 123.123.123.1 is the external static IP address of your SonicWall device.
The attached PNG shows the General Tab of the VPN Policy on the PRO2040. (I am running the Enhanced OS on the SonicWall.)
If I remember my big problem was that I did not add the remote network to the nonat access-list. Hope this helps.

First of all i want to thank you!

It makes total sens, but i'm not sure how to apply it

i have this in my config:

access-list inside_nat0_outbound extended permit ip 192.168.210.0(local ASA network) 255.255.255.0 172.50.0.131(Remote Sonicwall network) 255.255.255.255

global (outside) 1 interface

nat (inside) 1 access-list inside_nat0_outbound

Thank you, your help is greatly appreciated.

My ASA Config

interface Vlan1
nameif inside
security-level 100
ip address 192.168.210.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X"X"X"X X'X'X'X'X
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name voltige.biz
same-security-traffic permit inter-interface


access-list ICMPACL extended permit icmp any any
access-list ICMPACL extended permit icmp any any time-exceeded
access-list ICMPACL extended permit icmp any any unreachable
access-list ICMPACL extended permit icmp any any echo-reply


access-list TUNNEL extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131


pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface


nat (inside) 1 access-list inside_nat0_outbound

access-group ICMPACL in interface outside

route outside 0.0.0.0 0.0.0.0 70.159.184.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 inside
snmp-server host inside 192.168.210.57 community public
snmp-server location tour1
snmp-server contact jean-francis
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop


crypto ipsec transform-set Bang-Transform-Set esp-aes-192 esp-sha-hmac


crypto map Tunnel-Map 1 match address ovation
crypto map Tunnel-Map 1 set connection-type originate-only
crypto map Tunnel-Map 1 set peer 123.123.123.1
crypto map Tunnel-Map 1 set transform-set Bang-Transform-Set
crypto map Tunnel-Map 1 set phase1-mode aggressive
crypto map Tunnel-Map  interface outside


crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 28800


telnet timeout 5
ssh 192.168.210.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside

username admin password sdgsgdsdgsdgsd encrypted privilege 15


tunnel-group 123.123.123.1 type ipsec-l2l
tunnel-group 123.123.123.1 ipsec-attributes
pre-shared-key *
isakmp keepalive disable


!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2a3693d654aa3a05cb78ea3efe63b132
: end

I believe your problem is with these statements:

access-list TUNNEL extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131

Try replacing those statements with:

access-list TUNNEL extended permit ip 192.168.210.0 255.255.255.0 172.50.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 172.50.0.0 255.255.255.0

That should allow the tunnel to see both networks.
Also, it seems that your ASA has no "hostname" defined. You should do that as well. The config states that your ASA has a static IP. Is that correct? My sample has the ASA with a DHCP address and the SonicWall with static addresses. That may make a difference. It would also help to see the VPN policy from the SonicWall.

Yes it was set with a static Ip For Troubleshooting only..

I'm curious how you state you Nat comands. Could you Post it?

The reason why the ACL are like this is behind the SonicWall there is only one Host configured.

the Phase 2 of my Vpn fails the same way as your scenario.. The ASA is DHCP aggressive and the Sonic Wall receive an error like this(Look at the PNG).

---the Sonic wall sees The ASA public Ip as the Proposed Network....

Here is the correct Running-config:

ASA Version 7.2(4)
!
hostname ASA5505
domain-name mydomain.biz
enable password fgsdgfsdfds encrypted
passwd fsdgdfgsdgdfsgfencrypted
multicast-routing
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.210.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name voltige.biz
same-security-traffic permit inter-interface
access-list ICMPACL extended permit icmp any any
access-list ICMPACL extended permit icmp any any time-exceeded
access-list ICMPACL extended permit icmp any any unreachable
access-list ICMPACL extended permit icmp any any echo-reply
access-list ovation extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131
pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.210.0 255.255.255.0
access-group ICMPACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 inside
snmp-server host inside 192.168.210.57 community public
snmp-server location tour1
snmp-server contact jean-francis
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set Tunnel-Transform-Set esp-aes-192 esp-sha-hmac
crypto map Tunnel-Map 1 match address ovation
crypto mapTunnel-Map 1 set connection-type originate-only
crypto map Tunnel-Map 1 set peer 123.123.123.123
crypto map Tunnel-Map 1 set transform-set Bang-Transform-Set
crypto map Tunnel-Map 1 set phase1-mode aggressive
crypto map Tunnel-Map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.210.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside

username admin password sdfdgvdvfdssd encrypted privilege 15
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2a3693d654aa3a05cb78ea3efe63b132
: end

You're trying to setup a LAN-to-LAN VPN. The mismatch is because you're going LAN-to-Host but setting up the VPN as L2L. After you get the L2L tunnel up your can restrict traffic by setting firewall rules to deny all traffic except from our one host. Does that make sense?

I will try this.

Could you still post me your Nat config,

Thank you so much again!

It's a very simple config:

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

Ok, i setup the nat

What IKE id should i use on the sonicwall to identify the ASA

INSIDE IP address of the ASA: 192.168.210.251

OUTISE IP address of the ASA: 192.168.1.7

I Start to believe that the problem come from the Sonic wall configuration.

Thankyou!

One of my previous responses had a screenshot of the Sonicwall settings I used. On the Sonicwall I set

Local IKE ID: IP Address -- I set the address to the external IP of the Sonicwall.

Remote IKE ID: Domain Name -- I set the value to the FQDN of the ASA. The FQDN is derived from the "hostname" and "domain name" set in the ASA.

The config I posted for the ASA before sets similar values for the ASA.

IT'S more clear now!

Could you tel me how to find the FQDN of my asa?

Hostname:ASAVPN

Domainname:bang.biz

Will the FQDN be:       ASAVPN.bang.biz ?

Thank you very much!

I tryed it and it work, the phase 1 complete.

I'm still having the problem of the Sonicwall getting the wrong network proposed(my ASA "Public'' IP wich is the ip of the network between the ASA and The DSL router)..

Here is the latest running-config:

Let me know what you think

: Saved
:
ASA Version 7.2(4)
!
hostname ASAVPNBang
domain-name ASAVPN.biz
enable password sadfhad##%TGRG encrypted
passwd SDGFA$### encrypted
multicast-routing
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.210.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone est -5
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name ASAVPN.biz
same-security-traffic permit inter-interface
access-list ICMPACL extended permit icmp any any
access-list ICMPACL extended permit icmp any any time-exceeded
access-list ICMPACL extended permit icmp any any unreachable
access-list ICMPACL extended permit icmp any any echo-reply
access-list VPNMAP extended permit ip 192.168.210.0 255.255.255.0 172.50.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 172.50.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.210.0 255.255.255.0
access-group ICMPACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 inside
snmp-server host inside 192.168.210.57 community public
snmp-server location tour1
snmp-server contact jean-francis
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set Bang-Transform-Set esp-aes-192 esp-sha-hmac
crypto map Bang-Map 1 match address VPNMAP
crypto map Bang-Map 1 set connection-type originate-only
crypto map Bang-Map 1 set peer X.X.X.X (Sonicwall Public IP)

crypto map Bang-Map 1 set transform-set Bang-Transform-Set
crypto map Bang-Map 1 set phase1-mode aggressive
crypto map Bang-Map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.210.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside

username admin password FasfDFDGFGasj encrypted privilege 15
tunnel-group X.X.X.X(Public ip of the SonicWall) type ipsec-l2l
tunnel-group X.X.X.X(Public ip of the SonicWall) ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:035dec2d6db7446cc1a83a36cf156e6c
: end

joe.wronkowski
Level 1
Level 1

Schappel had a few questions regarding your installation.  I am in the process of connecting a remote site and the main office is protected with a sonic firewall.  Wanted to know if you can contact me at jwronkowski@cypress-tech.net instead of clogging up the forum.  Can post results after I figure out the best way to tackle the issue.  thanks Joe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: