Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
3
Replies

Cisco VPN Vs SonicWall

alexus
Level 1
Level 1

‎12-22-2003 09:21 AM - edited ‎02-21-2020 12:58 PM

Hello

I'm trying to setup a VPN between Cisco PIX and SonicWall

I went through wizard on Cisco PIX and I added appropriate options on SonicWall, and it's not working.

When I'm trying to ping one of my computers that on PIX side, I get TTL expired in transit.

here is my PIX's configuration (i only took out passwords)

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password password encrypted

passwd password encrypted

hostname hostname

domain-name domain.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 66.9.147.254 office

access-list inside_outbound_nat0_acl permit ip interface inside interface outside

access-list outside_cryptomap_20 permit ip interface inside interface outside

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside x.x.x.x 255.255.255.192

ip address inside 10.10.10.10 255.0.0.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

pdm location office x.x.x.x outside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside x.x.x.x x.0.0.0 x.9.x.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http office x.x.x.255 outside

http 10.10.10.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer office

crypto map outside_map 20 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address office netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh x.x.x.x x.255.255.255 outside

ssh timeout 5

console timeout 0

dhcpd address 10.1.0.1-10.1.0.254 inside

dhcpd dns 160.79.6.130 160.79.5.130

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username user password xxxxxxx

privilege 15

terminal width 80

Cryptochecksum:xxxxxxx

: end

[OK]

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎12-22-2003 02:10 PM

You've set up the encrypted traffic to be this:

access-list inside_outbound_nat0_acl permit ip interface inside interface outside

access-list outside_cryptomap_20 permit ip interface inside interface outside

That is, only encrypt traffic that has a source address of your PIX inside interface, going to the PIX outside interface, this is NOT what you want. You have to specify the traffic as coming FROM the PIX inside subnet (10.0.0.0/8) going to the subnet behind the Sonicwall. The above two access-lists should end up looking like:

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0

access-list outside_cryptomap_20 permit ip 10.0.0.0 255.0.0.0

Feel free to make his change via the command-line, then load up PDM again and you'll see where these should have been specified.

0 Helpful

alexus
Level 1
Level 1
In response to gfullage

‎12-24-2003 09:44 AM

Yes, I've changed that, that was my mistake, however it didn't really help..

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 olan 255.255.255.0

access-list outside_cryptomap_20 permit ip 10.0.0.0 255.0.0.0 olan 255.255.255.0

thats my new access-list

I've made more changes, so i'll repost my config file

cpix(config)# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password ***** encrypted

passwd ***** encrypted

hostname cpix

domain-name domain.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 66.9.147.254 opip

name 192.168.1.0 olan

name 24.188.13.29 ha

name 64.237.55.82 aorg

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 olan 255.255.255.0

access-list outside_cryptomap_20 permit ip 10.0.0.0 255.0.0.0 olan 255.255.255.0

pager lines 24

logging on

logging timestamp

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside x.x.x.x x.255.255.192

ip address inside 10.10.10.10 255.0.0.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpn 10.10.10.11-10.10.10.13

pdm location opip x.x.255.255 outside

pdm location ha x.x.255.255 outside

pdm location olan x.x.255.0 outside

pdm location x.x.x.x 255.255.255.248 outside

pdm location aorg 255.255.255.255 outside

pdm logging emergencies 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 66.9.147.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http opip x.x.255.255 outside

http ha x.x.255.255 outside

http 10.10.10.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer opip

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address opip netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh opip 255.255.255.255 outside

ssh ha 255.255.255.255 outside

ssh aorg 255.255.255.255 outside

ssh timeout 60

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40

vpdn group PPTP-VPDN-GROUP client configuration address local vpnpn

vpdn group PPTP-VPDN-GROUP client configuration dns 160.79.6.130 160.79.5.130

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username user password *********

vpdn enable outside

dhcpd address 10.1.0.1-10.1.0.254 inside

dhcpd dns 160.79.6.130 160.79.5.130

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username user password ***** encrypted privilege 15

terminal width 80

banner exec session

banner login login

banner motd motd

Cryptochecksum:xxxxxx

: end

[OK]

cpix(config)#

0 Helpful

jmia
Level 7
Level 7
In response to alexus

‎01-06-2004 09:20 AM

Hi Dimitry,

I don't know if you've read the following document from SonicWall regarding VPN with Cisco PIX ?

This is a PDF:

http://www.sonicguard.com/Datasheet/SonicWALLVPN_with_Cisco_PIX_using_IKE.pdf

Let me know if this helps - Jay.

0 Helpful
Customers Also Viewed These Support Documents