10-10-2013 11:51 PM - edited 03-04-2019 09:17 PM
I have a Cisco 5505 and a TZ170 Sonicwall.
I have an IPSec tunnel up but I cannot ping or run DNS over it. Basically no network resources can be accessed between sites on either side.
Here is my configuration (as created by ASDM which I am growing a distaste for after it has screwed much of my original CLI input). Thanks for any help you can give me.
Router# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname PFDowntown
domain-name golds.local
enable password s4sg6AZKKWez7RdB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.3 Server description dns server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx255.255.255.252
!
ftp mode passive
dns server-group DefaultDNS
domain-name golds.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network net-local
network-object 192.168.2.0 255.255.255.0
object-group network net-remote
network-object 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.2.0 255.255.255.0
host 192.168.0.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 ho
st 192.168.0.0
access-list outside_1_cryptomap extended permit ip interface inside any
access-list outside_1_cryptomap extended permit ip any interface inside
access-list outside_1_cryptomap extended permit ip object-group net-local object
-group net-remote
access-list outside_1_cryptomap extended permit ip object-group net-remote objec
t-group net-local
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any eq isakmp
access-list inside_access_in_1 extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list global_mpc extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in_1 in interface inside control-plane
access-group outside_access_in in interface outside
!
router rip
network 192.168.0.0
!
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection preserve-vpn-flows
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xx.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd auto_config outside
!
dhcpd address 192.168.2.50-192.168.2.100 inside
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside
dhcpd domain golds.local interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value inside_nat0_outbound
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
username admin password Rras1ufhYNBlonui encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key xxxxxx
peer-id-validate nocheck
tunnel-group xx.xx.xx.xxtype ipsec-l2l
tunnel-group xx.xx.xx.xxgeneral-attributes
default-group-policy GroupPolicy1
tunnel-group xx.xx.xx.xxipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
tunnel-group-map default-group xx.xx.xx.xx
!
class-map global-class
match access-list global_mpc
!
!
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:6782a2577ba1b1b11aaf4b617752a3b6
: end
Router#
10-15-2013 05:14 AM
Thank you for trying the ping from a PC. I believe that we should check on the possibility that there is some mismatch in the VPN config between the ASA and the Sonicwall. Can you get the details of the VPN configuration from the Sonicwall?
Another possibile thing to do would be to run debug for IPSec, try the ping, and post the debug output. Perhaps there would be something there that would point out the issue.
HTH
Rick
10-18-2013 09:35 PM
Sorry for the delay had some phone switching nightmares for awhile but now I am back to solving this issue as it has become a sore point for us. (cant access their files on the server each day over vpn tunnel) It seems to be an ACL rule that is preventing it from leaving the ASA. However, I can see that rule in the ASDM but cannot find it in the configuration in CLI, the inside is not permitting traffic to the outside (any any deny) which is an implicit rule....but what globally is this inheriting from? Not sure...ASDM is sometimes more confusing than CLI but to its credit the packet tracer allowed me to see which ACL was dropping my packets. Any help would be appreciated.
10-18-2013 09:41 PM
10-19-2013 10:02 PM
Ok, after working on this a little I have reconfigured the NAT section which allowed me to start pinging ip addresses. I can also browse by ip i.e, \\192.168.0.3 but I cannot ping or browse by hostname i.e.,\\server so I revised the DHCP Server to include the DNS server 192.168.0.3 and renewed ip and ipconfig /all reports the change. I also restarted the PC and still cannot resolve...getting closer. Thanks for all your help on this!
Michael
10-19-2013 10:03 PM
P.S. Packet tracer in ASDM still has the same issue...drops packet at implicit deny rule, nothing ahead stops that???? Weird to be able to ping through that and browse by IP through that???
10-19-2013 10:11 PM
UPDATE: I can ping fqdn from DNS server 192.168.0.3 to .2.50 network. Just not the other way around....soooo close!
10-21-2013 09:52 PM
UPDATE: I can now ping hostnames on both sides of VPN, however, cannot browse the network on either side. I can map drives etc. by hostname or ip...
Thanks for any help anyone can give on this....know I am missing something here. At this point probably opened up the router too much trying to get this far.
Thanks
Michael
10-24-2013 07:15 AM
Michael
I am glad that you can now ping hosthames on both sides and can map drives by name or by ip. When you say that you can not browse the network on either side are we talking about a web browser to a server on the other side or something else?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide