Thursday, July 31, 2014

Site to Site VPN with Cisco ASA and Sonicwall NSA Series

Set up three site to site VPN tunnels recently for a project.  One was a Cisco ASA and the other a Sonicwall NSA series.

We ran into two issues:
Problem 1: While setting up the tunnel with the ASA, we couldn't get the second IKE phase to agree. We were seeing an error that looked something like "destination host does not match remote host" or some business.

Problem 2: Users at the main site (Site A) couldn't connect to the other two sites (Site B, Site C) when connecting over Sonicwall Global VPN Client.

Our Solutions:
Problem 1:
Cisco and Sonicwall notate subnets differently.  If you have a LAN range defined in the Sonicwall but something like 172.16.0.1/21 notated in the Cisco, they will not translate.
The solution is to create a network in the Sonicwall with the matching netmask (172.16.0.1 with the netmask of 255.255.248.0 or applicable netmask).
They will then agree.

Problem 2:
Even if you were able to connect before to the other sites, but after setting up the tunnel you can no longer, there is an easy fix to this which I found all over the internet unasnwered, but logging into Sonicwall's site - you get the following KB article:
https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=7122&p=t


Add the site to site remote network to the GVC user's VPN access list in the UTM web management GUI.  Or, you can do this for an entire local users group and users will inherit this VPN access permission when they connect with GVC the next time.  Please follow the procedure as below:

1) Log into the firewall web management GUI, go to the Users > Local Users screen.



2) Click the configure button of the GVC user or user Group that you want to modify


3) Navigate to VPN Access tab inside the Edit window for the user.


4) Select the Remote VPN network and move it to right.


5) Click OK to complete.


 6) Now when GVC user connects to WAN GroupVPN on the SonicOS Enhanced UTM appliance, they will have access to networks at two locations. 



There is one additional step - on the ASA you need to make sure that the VPN subnet has access in NAT0.

Monday, July 7, 2014

Sharepoint 2010 All Day Events are 12 hours off

Sharepoint 2010 doesn't adjust for timezones, so all day events usually show on the wrong day. This is because of the UTC time and Sharepoint.  The short answer is - sort by "end time" instead of writing lots of code - it's not a perfect solution but it's better.