Site to Site IPSec VPN setup between SonicWall and Cisco ASA firewall

03/26/2020 351 People found this article helpful 500,603 Views

Description

When configuring a Site-to-Site VPN tunnel in SonicOS Enhanced firmware using Main Mode both the SonicWall appliances and Cisco ASA firewall (Site A and Site B) must have a routable Static WAN IP address.

Network Setup

Site A	Site B
SonicWall	Cisco ASA
WAN IP: 116.6.209.250 LAN Subnet: 10.9.0.0/16	WAN IP: 121.12.156.162 LAN Subnet: 192.168.0.0/16

Deployment Steps

Creating Address Objects for VPN subnets
Configuring a VPN policy on Site A SonicWall
Configuring a VPN policy on Site B Cisco ASA
How to test this scenario

Resolution

Creating Address Objects for VPN subnets

Login to the SonicWall management Interface.
Navigate to Manage | Policies | Objects | Address Objects, click ADD button.
Configure the address objects as mentioned in the figure above, click Add and click Close when finished.

Configuring a VPN policy on Site A SonicWall

Navigate to Manage | Connectivity | VPN | Base Settings page. Click Add . The VPN Policy window is displayed.
Click General tab.
- Select IKE using Preshared Secret from the Authentication Method menu.
- Enter a name for the policy in the Name field.
- Enter the WAN IP address of the remote connection in the IPSec Primary GatewayName or Address field (Enter Site B's WAN IP address).
- Enter a Shared Secret password to be used to setup the Security Association the Shared Secret and confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
Click Network tab.
- Under Local Networks, select a local network from Choose local network from list: and select the address object HBMTLAN_10.9.0.0 (LAN Subnet).
- Under Remote Networks, select Choose destination network from list: and select the address object HBMTJM (Site B network).
Click Proposals tab.Keep this page as default.
Click Advanced tab.

Select Enable Keep Alive.

Configuring a VPN policy on Site B Cisco ASA

Cisco ASA configuration listed as below(lines marked red are vpn tunnel related).
ASA Version 8.2(1)
!
hostname HBMTJM
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 121.12.156.162 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
FTP mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 202.96.128.86
name-server 202.96.128.166
access-list HBMTDG-VPN extended permit ip 192.168.0.0 255.255.0.0 10.9.0.0
255.255.0.0
pager lines 24
logging console warnings
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list HBMTDG-VPN nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 121.12.156.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set hbmtvpn esp-des esp-md5-hmac    crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map HBMTJM 20 match address HBMTDG-VPN crypto map HBMTJM 20 set peer 116.6.209.250    crypto map HBMTJM 20 set transform-set hbmtvpn crypto map HBMTJM 20 set security-association lifetime seconds 28800 crypto map HBMTJM 20 set security-association lifetime kilobytes 4608000 crypto map HBMTJM interface outside crypto isakmp identity address    crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 28800 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept tunnel-group 116.6.209.250 type ipsec-l2l tunnel-group 116.6.209.250 ipsec-attributes pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect FTP
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect NetBIOS
inspect FTP
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a3c37b8c9eb30664a6ac0425ab0b0777

How to test this scenario

Try to ping an IP address from Site A to Site B or Vise Versa.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Site to Site IPSec VPN setup between SonicWall and Cisco ASA firewall

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch