Thursday, July 31, 2014

Site to Site VPN with Cisco ASA and Sonicwall NSA Series

Set up three site to site VPN tunnels recently for a project.  One was a Cisco ASA and the other a Sonicwall NSA series.

We ran into two issues:
Problem 1: While setting up the tunnel with the ASA, we couldn't get the second IKE phase to agree. We were seeing an error that looked something like "destination host does not match remote host" or some business.

Problem 2: Users at the main site (Site A) couldn't connect to the other two sites (Site B, Site C) when connecting over Sonicwall Global VPN Client.

Our Solutions:
Problem 1:
Cisco and Sonicwall notate subnets differently.  If you have a LAN range defined in the Sonicwall but something like 172.16.0.1/21 notated in the Cisco, they will not translate.
The solution is to create a network in the Sonicwall with the matching netmask (172.16.0.1 with the netmask of 255.255.248.0 or applicable netmask).
They will then agree.

Problem 2:
Even if you were able to connect before to the other sites, but after setting up the tunnel you can no longer, there is an easy fix to this which I found all over the internet unasnwered, but logging into Sonicwall's site - you get the following KB article:
https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=7122&p=t


Add the site to site remote network to the GVC user's VPN access list in the UTM web management GUI.  Or, you can do this for an entire local users group and users will inherit this VPN access permission when they connect with GVC the next time.  Please follow the procedure as below:

1) Log into the firewall web management GUI, go to the Users > Local Users screen.



2) Click the configure button of the GVC user or user Group that you want to modify


3) Navigate to VPN Access tab inside the Edit window for the user.


4) Select the Remote VPN network and move it to right.


5) Click OK to complete.


 6) Now when GVC user connects to WAN GroupVPN on the SonicOS Enhanced UTM appliance, they will have access to networks at two locations. 



There is one additional step - on the ASA you need to make sure that the VPN subnet has access in NAT0.

1 comment:

  1. wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated. software per navigare anonimi

    ReplyDelete