Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
0
Helpful
1
Replies

STS Tunnel Setup in between Cisco ASA and Sonicwall Firewall.

Adley Francois
Level 1
Level 1

‎12-08-2014 06:23 AM - edited ‎03-11-2019 10:11 PM

Hello Experts:

 

I need an assistance in order to setup STS tunnel in between Cisco and Sonicwall Firewall. The Phase 1 is up but the local IP Natted with Public IP's over the STS Tunnel not being communicated with eact other. Take a look the following config:

 

Cisco:

Gateway : 125.x.x.1

Local IP : 10.1.10.1 Natted with 125.x.x.24 which is added into crypto traffic so that the remote network communicates by using Public IP over the STS Tunnel.

Sonicwall:

Gateway : 121.x.x.1

Local IP : 192.168.1.1. Natted with 121.x.x.24 that I also added in network config but the communication not working.

Please assist if the communication is possible over Public IP's as I have no problem if I use local IP's.

 

Thanks

 

 

 

 
 

Labels:
0 Helpful
1 Reply 1

David Johan Castro Fernandez
Level 3
Level 3

‎12-10-2014 05:13 AM

Hi Adley,

 

If you are doing one-to-one NAT to translate only the 10.1.10.1 to -->125.X.X.24 and 192.168.1.1 to -->121.x.X.24,  and no the whole subnet, you can do it for both sides, however, if you do PAT translating all the subnet to one IP on both ends, that will be a Port Communication, though how do you know what is the Port number that one host is using at the moment. You are not going to be doing --> show xlate | inc <Internal IP address>.

 

 

What I can recommend you if you are doing PAT translation for a whole subnet and not just one host, it's to PAT one side and the other side leave it using the private IP addresses, for the interesting traffic, for example:

Cisco:

access-list VPN permit ip host 125.x.x.24 192.168.1.0 255.255.255.0

 

SonicWall:

 

You have the GUI, and you can define the destination as the IP address --> 125.X.X.24, and your source as the 192.168.1.0/24.

 

-------------------------------------------------------------------------------------------------------------------------------

 

Please attach the following output:

- show crypto isakmp sa

- show crypto ipsec sa

- show run crypto map

- show access-list <ACL under the crypto map>

 

Let me know how it works out!

 

Please don't forget to rate and mark as correct the helpful Post!

 

Regards,

 

David Castro,

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card