Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site-to-Site VPN between Cisco ASA 5505 and Sonicwall TZ170

I'm trying to set up a site-to-site VPN between our datacenter and office.  The datacenter has a Cisco ASA 5505 and the office has a Sonicwall TZ170.  I have managed to configure both so that the vpn connects.  From each of the firewalls I can ping the internet firewall IP on the other side and from an office computer I can ping the internal datacenter firewall IP but I cannot route traffic between the datacenter and office private subnets.  Can anyone help?

The below config has had IPs/passwords changed.

Datacenter External: 1.1.1.4

Office External: 1.1.1.1

Datacenter Internal: 10.5.0.1/24

Office Internal: 10.10.0.1/24

: Saved
:
ASA Version 8.2(1)
!
hostname datacenterfirewall
domain-name mydomain.tld
enable password <removed> encrypted
passwd <removed> encrypted
names
name 10.10.0.0 OfficeNetwork
name 10.5.0.0 DatacenterNetwork
!
interface Vlan1
nameif inside
security-level 100
ip address 10.5.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.4 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!            
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name buydomains.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list pixtosw extended permit ip DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
access-list pixtosw extended permit icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
access-list pixtosw extended permit ip OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
access-list pixtosw extended permit icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
access-list outside_cryptomap_66.1 extended permit ip any OfficeNetwork 255.255.255.0
access-list outside_cryptomap_66.1 extended permit ip OfficeNetwork 255.255.255.0 any
access-list outside_cryptomap_66.1 extended permit icmp any OfficeNetwork 255.255.255.0
access-list outside_cryptomap_66.1 extended permit icmp OfficeNetwork 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside OfficeNetwork 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.5.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set walthamoffice esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map ciscopix 1 match address outside_cryptomap_66.1
crypto dynamic-map ciscopix 1 set transform-set walthamoffice
crypto dynamic-map ciscopix 1 set reverse-route
crypto map dynmaptosw 66 ipsec-isakmp dynamic ciscopix
crypto map dynmaptosw interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.5.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.5.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 10.5.0.2-10.5.0.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.250.45.2 source outside
ntp server 72.18.205.157 source outside
ntp server 208.53.158.34 source outside
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
username admin password <removed> encrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
!
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
!
prompt hostname context
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: end

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site-to-Site VPN between Cisco ASA 5505 and Sonicwall TZ170

Mattew, one obious statement missing  is the  nat exempt rule for your tunnel..  your access list pixtosw is similar on this example I assume you have gone through this link, if not review configs at both sides.

add the nonat rule statement in asa  and try again.

nat (inside) 0 access-list pixtosw

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Regards

2 REPLIES

Re: Site-to-Site VPN between Cisco ASA 5505 and Sonicwall TZ170

Mattew, one obious statement missing  is the  nat exempt rule for your tunnel..  your access list pixtosw is similar on this example I assume you have gone through this link, if not review configs at both sides.

add the nonat rule statement in asa  and try again.

nat (inside) 0 access-list pixtosw

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Regards

Community Member

Re: Site-to-Site VPN between Cisco ASA 5505 and Sonicwall TZ170

Sorry for the delay in response.  This was the fix, it looks like when I originally configured the ASA there was an error adding that nat rule and it didn't take.  I was able to figure out what the issue was and re-add that nat command and it works successfully.

thank you

-matt

14544
Views
0
Helpful
2
Replies
CreatePlease to create content