06-09-2020 02:46 PM - edited 06-09-2020 03:08 PM
Hello I'm trying to fix an issue I'm seeing between a ASA a Sonicwall NSA. Both sides are reporting no proposal chosen and I believe the issue is a mismatch between the local and remote networks that are accessible.
On the sonicwall I have the following networks setup for ipspec L2L access
sonicwall
remote
172.16.20.0/24
172.20.1.0/24
10.0.3.6/32
10.0.4.0/24
10.0.6.10/32
local
10.112.0.0/24
172.17.190.0/24
172.16.201.0/24
172.16.204.0/24
172.17.245.0/24
172.17.246.0/24
172.16.249.0/24
10.51.0.0/16
10.70.0.0/24
10.70.1.0/24
172.16.106.0/24
10.80.0.0/24
On the ASA I'm using an ACL for the crypto map match address line
and here is the list
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list acl--vpn extended permit ip 172.20.1.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list acl--vpn extended permit ip 10.0.4.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 10.51.0.0 255.255.0.0
access-list acl--vpn extended permit ip 172.20.1.0 255.255.255.0 10.51.0.0 255.255.0.0
access-list acl--vpn extended permit ip 10.0.4.0 255.255.255.0 10.51.0.0 255.255.0.0
access-list acl--vpn extended permit ip host 10.0.3.6 10.51.0.0 255.255.0.0
access-list acl--vpn extended permit tcp host 10.0.3.6 10.51.0.0 255.255.0.0 eq 1001
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 10.70.0.0 255.255.255.0
access-list acl--vpn extended permit ip 10.0.3.0 255.255.255.0 172.16.204.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 172.16.204.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 172.16.249.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 172.17.245.0 255.255.255.0
access-list acl--vpn extended permit ip 172.20.1.0 255.255.255.0 10.70.0.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 10.70.1.0 255.255.255.0
access-list acl--vpn extended permit ip 172.20.1.0 255.255.255.0 10.70.1.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 10.80.0.0 255.255.255.0
access-list acl--vpn extended permit ip 172.20.1.0 255.255.255.0 10.80.0.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 172.16.106.0 255.255.255.0
access-list acl--vpn extended permit ip 172.20.1.0 255.255.255.0 172.16.201.0 255.255.255.0
access-list acl--vpn extended permit ip 172.20.1.0 255.255.255.0 172.16.106.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 172.17.246.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 172.17.190.0 255.255.255.0
access-list acl--vpn extended permit ip 172.16.20.0 255.255.255.0 172.16.201.0 255.255.255.0
Now I know its missing some stuff because unfortunately the Sonicwall was moved in a rush and some reIPing occured out there that was not updated on the ASA side. But what I'm wondering since the sonicwall remote and local implement that all remote networks to the sonicwall can access the local will I need to build on the ASA an ACL that has rules for each local network to reach remote network to it in a 1:1 fashion
example I think I would need to create a rules permit 10.0.4.0/24 to
10.112.0.0/24
172.17.190.0/24
172.16.201.0/24
172.16.204.0/24
172.17.245.0/24
172.17.246.0/24
172.16.249.0/24
10.51.0.0/16
10.70.0.0/24
10.70.1.0/24
172.16.106.0/24
10.80.0.0/24
so 11 acl lines just for the 10.0.4.0/24 network. And the same for all the local ASA networks.
Or alternatively create an object for all the local networks on the ASA and all the remote networks in an object and make an ACL: access-list acl--vpn extended permit network-group remote network-group local
06-09-2020 06:45 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide