Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Establish a Remote VPN connection to my SA520 Firewall

Dear all

I buy for month ago the SA520 Firewall and now I try to establish a remote vpn connection to my SA520 Firewall. The SA520 is updated to Frimware 2.2.0.7 and my VPN Client is the Cisco 5.0.07.0410.

When I config with the VPN Wizard the IKE Policies, the VPN Policies, the IPSec Users and the Dynamic IP Range (192.168.12.110-192.168.12.120) I can build up a VPN connection and I get also the 192.168.12.110 IP Address on the VPN Client but I am not able to reage my LAN 192.168.10.0. On the WAN Site there I have DynDNS.

Can anybody tell me what I do wrong. Have I to configure a static route or an additional Firewall Rule? I tried in the past so lot of things and I have no clue what I do wrong...

Kind Regards

Adrian

9 REPLIES

Re: Establish a Remote VPN connection to my SA520 Firewall

In your VPN configuration you had to tell it what the local network is. Did you make it the 12.x network only or both the 12.x and 10.x networks? It needs to be both.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: Establish a Remote VPN connection to my SA520 Firewall

Hi Shawn

My local Network is 10.x and the dynamic IP Range 12.x. When I will change the dynamic IP Range to 10.x then the SA520 tell me that this is not allowed... how can I make it to be both?

New Member

Re: Establish a Remote VPN connection to my SA520 Firewall

Here some information about the config... Could be that it can helps

IKE Policy Configuration

General

Policy Name:

VPN (grey)

Direction / Type:

Responder

Exchange Mode:

Aggressive

Local

Identifier Type:

FQDN

Identifier:

Local.com

Remote

Identifier Type :

FQDN

Identifier:

0.0.0.0

IKE SA Parameters

Encryption Algorithm:

AES-128

Authentication Algorithm:

SHA-1

Authentication Method:

Pre-Shared key

Pre-shared key:

Xxxxxxxxx

Diffie-Hellman (DH) Group:

Group 2(1024 bit)

SA-Lifetime (sec):

28800

Enable Dead Peer Detection:

Not tagged

Detection Period:

10   (grey)


Reconnect after failure count:

3   (grey)


Extended Authentication

XAUTH Configuration:

Edge Device

Authentication Type:

User Database


User Name:


Password:


VPN Policy Configuration

General

Policy Name:

VPN

Policy Type:

Auto Policy

Select Local Gateway:

Dedicated WAN

Remote Endpoint:

FQDN

0.0.0.0

Enable Mode Config:

Yes tagged

Enable NetBIOS?

Not tagged

Enable RollOver?

Not tagged

Local Traffic Selection

Local IP:

Grey   cannot enter something

Start IP Address:

Grey   cannot enter something


End IP Address:

Grey   cannot enter something


Subnet Mask:

Grey   cannot enter something


Remote Traffic Selection

Remote IP:

Any

Start IP Address:

Grey   cannot enter something


End IP Address:

Grey   cannot enter something


Subnet Mask:

Grey   cannot enter something


Manual Policy Parameters

SPI-Incoming:

Grey   cannot enter something


SPI-Outgoing:

Grey   cannot enter something


Encryption Algorithm:

AES-128

Key-In:

Grey   cannot enter something


Key-Out:

Grey   cannot enter something


Integrity Algorithm:

SHA-1

Key-In:

Grey   cannot enter something


Key-Out:

Grey   cannot enter something


Auto Policy Parameters

SA Lifetime:

3600



Encryption Algorithm:

AES-128

Integrity Algorithm:

SHA-1

PFS Key Group:

yes tagged


DH Group 2 (1024 bit)

Select IKE Policy:

VPN


Redundant VPN Gateway Parameters

Enable Redundant Gateway:

Select Back- up Policy:


Failback time to switch
from back-up to primary:

(Seconds)


Dynamic IP Range

Dynamic IP Range Configuration

Tunnel Mode:

Split Tunnel

Start IP Address:

192.168.12.x   (cannot change to LAN 10.x will not be allowed from SA520)

End IP Address:

192.168.12.x   (cannot change to LAN 10.x will not be allowed from SA520)

Primary DNS(Optional):

192.168.12.x

Secondary DNS(Optional):

Primary WINServer(Optional):

Secondary WINServer(Optional):

Re: Establish a Remote VPN connection to my SA520 Firewall

You might try adding an Access Rule that allows Source LAN Destination WAN Source IP 10.x Destination IP 12.x and another Access Rule with everything reversed.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: Establish a Remote VPN connection to my SA520 Firewall

Hi Shawn

Sorry for my additional question but i am not so familiar with Firewall and VPN.

This Access Rule are two rules which I have make in the Firewall. Is that right? So no static Route? Can you hiev me an example how i have to configur this?

Kind Regards

Adrian

Re: Establish a Remote VPN connection to my SA520 Firewall

Firewall -> IPv4 Rules

Rule 1

From Zone - LAN

To Zone - WAN

Service - ANY

Action - ALLOW Always

Source Hosts - 192.168.10.1-192.168.10.254

Destination Hosts - 192.168.12.110-192.168.12.120

Rule 2

From Zone - WAN

To Zone - LAN

Service - ANY

Action - ALLOW Always

Source Hosts - 192.168.12.110-192.168.12.120

Destionation Hosts - 192.168.10.1-192.168.10.254

If you already have a BLOCK Always Access Rule, ensure you move these two rules so that they are processed before the BLOCK Always Access Rule.  I can't promise that this will fix it, but this is similar to how you can address this in an ASA.  If that doesn't fix it, I would delete both of these new rules, so you don't forget about them.

I must admit that I'm a little handicapped here since I don't have a SA520 I can test with and have been utilizing the SA500 Emulator up to this point.  Let me know the results of your efforst and I'll see if I can't continue to assist.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: Establish a Remote VPN connection to my SA520 Firewall

Thank you Shawin

For the next three dasys i am not able to Test it. But when I will be back i Five you as fast as possible a feetback.

Thank you

New Member

Re: Establish a Remote VPN connection to my SA520 Firewall

Hi Shawin

I tried in the last days to establish a VPN connection  but without success. I don't know what I should do to get this .... Do  you have an answer for me or is there someone which is familiar with the  SA-520.

Kind Regards

Adrian

Re: Establish a Remote VPN connection to my SA520 Firewall

Adrian,
I'd recommend opening a case with SMB support. I'm sorry I wasn't able to assist you more.

http://www.cisco.com/cisco/web/solutions/small_business/small_business_support_and_resources.html


Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
726
Views
0
Helpful
9
Replies
CreatePlease login to create content