Wednesday, May 13, 2020

Cisco ASA to Sonicwall VPN - can't get the Cisco to initiate the tunnel

I could use a brain check/fresh minds on this. Any Cisco gurus up tonight?

I've got a Cisco ASA 5516-X that is sitting behind the gateway (NATted), trying to establish a VPN to a Sonicwall with a public IP address. The Cisco has a private IP on its GigE1/1 / outside interface, and a /30 used on GigE 1/8 / mgmt and the FirePOWER module. The purpose is to create a VPN back to a private network on which sits an FMC environment.

I've built a bunch of tunnels Cisco > Sonicwall where both sides have public IPs. So many that it's beyond routine - I have a template. The problem I'm having is with the Cisco initiating.

My normal processis to turn on keep-alive in the Sonicwall, since it's just a checkbox and main mode/IKEv1; it's simple and straightforward. In this case I need to get the Cisco to establish the tunnel, and on that point I'm stumped.

I have my ACL, transform-set, crypto-map, NAT exclusion - I think everything is there. I can ping the SW's WAN from the Cisco CLI. PCAP in the SW doesn't show any attempts to even start phase 1.

! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 10.0.208.75 255.255.255.0 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 10.250.0.1 255.255.255.0 ! /// ! interface GigabitEthernet1/8 nameif mgmt security-level 100 ip address 172.20.44.1 255.255.255.252 ! object network 172.20.44.0_30 subnet 172.20.44.0 255.255.255.252 object network 172.25.0.0_16 subnet 172.25.0.0 255.255.0.0 access-list 100 extended permit ip object 172.20.44.0_30 object 172.25.0.0_16 ! nat (mgmt,outside) source static 172.20.44.0_30 172.20.44.0_30 destination static 172.25.0.0_16 172.25.0.0_16 no-proxy-arp route-lookup ! route outside 0.0.0.0 0.0.0.0 10.0.208.1 1 ! /// crypto ipsec ikev1 transform-set WORKVPN-TSET esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map WORKVPN-CMAP 20 match address 100 crypto map WORKVPN-CMAP 20 set pfs crypto map WORKVPN-CMAP 20 set peer AAA.BBB.CCC.DDD crypto map WORKVPN-CMAP 20 set ikev1 transform-set WORKVPN-TSET crypto map WORKVPN-CMAP interface outside ! crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 /// tunnel-group AAA.BBB.CCC.DDD type ipsec-l2l tunnel-group AAA.BBB.CCC.DDD ipsec-attributes ikev1 pre-shared-key ***** !

Anyone know the CLI command to convince the ASA to make the first move? I'm sure I can figure it out from there. TIA.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)