Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Site to Site IPSec VPN setup between SonicWall and Cisco ASA firewall

03/26/2020 310 People found this article helpful 222,041 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    When configuring a Site-to-Site VPN tunnel in SonicOS Enhanced firmware using Main Mode both the SonicWall appliances and Cisco ASA firewall (Site A and Site B) must have a routable Static WAN IP address. 


    Network Setup

    Site A Site B
    SonicWall Cisco ASA
    WAN IP: 116.6.209.250
    LAN Subnet: 10.9.0.0/16
    WAN IP: 121.12.156.162
    LAN Subnet: 192.168.0.0/16


    Deployment Steps

    • Creating Address Objects for VPN subnets
    • Configuring a VPN policy on Site A SonicWall
    • Configuring a VPN policy on Site B Cisco ASA
    • How to test this scenario

    Resolution

    Creating Address Objects for VPN subnets

    1. Login to the SonicWall management Interface.
    2. Navigate to Manage | Policies | Objects | Address Objects, click ADD button.
    3. Configure the address objects as mentioned in the figure above, click Add and click Close when finished. 

      ImageImage

     

    Configuring a VPN policy on Site A SonicWall

    1. Navigate to Manage | Connectivity | VPN | Base Settings page. Click Add . The VPN Policy window is displayed.
    2. Click General tab.


      1. Image
      • Select IKE using Preshared Secret from the Authentication Method menu.
      • Enter a name for the policy in the Name field.
      • Enter the WAN IP address of the remote connection in the IPSec Primary GatewayName or Address field (Enter Site B's WAN IP address).
      • Enter a Shared Secret password to be used to setup the Security Association the Shared Secret and confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
    3. Click Network tab.
      Image


      • Under Local Networks, select a local network from Choose local network from list: and select the address object HBMTLAN_10.9.0.0 (LAN Subnet).
      • Under Remote Networks, select Choose destination network from list: and select the address object HBMTJM (Site B network).
    4. Click Proposals tab.Keep this page as default.
      Image

    5. Click Advanced tab.
    • Select Enable Keep Alive.
      Image

     

    Configuring a VPN policy on Site B Cisco ASA

    • Cisco ASA configuration listed as below(lines marked red are vpn tunnel related).
      ASA Version 8.2(1)   
      ! 
      hostname HBMTJM 
      ! 
      interface Ethernet0/0 
       nameif outside 
        security-level 0 
        ip address 121.12.156.162 255.255.255.248   
      ! 
      interface Ethernet0/1 
       nameif inside 
        security-level 100 
        ip address 192.168.1.254 255.255.255.0   
      ! 
      FTP mode passive 
      dns domain-lookup outside 
      dns domain-lookup inside 
      dns server-group DefaultDNS 
       name-server 202.96.128.86 
       name-server 202.96.128.166 
      access-list HBMTDG-VPN extended permit ip 192.168.0.0 255.255.0.0 10.9.0.0 
      255.255.0.0   
      pager lines 24 
      logging console warnings 
      mtu outside 1500 
      mtu inside 1500 
      icmp unreachable rate-limit 1 burst-size 1 
      no asdm history enable 
      arp timeout 14400 
      global (outside) 1 interface 
      nat (inside) 0 access-list HBMTDG-VPN 
      nat (inside) 1 192.168.1.0 255.255.255.0 

      route outside 0.0.0.0 0.0.0.0 121.12.156.161 1 
      timeout xlate 3:00:00 
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 
      0:05:00 
      timeout  sip  0:30:00  sip_media  0:02:00  sip-invite  0:03:00  sip-disconnect  
      0:02:00 
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 
      timeout tcp-proxy-reassembly 0:01:00 
      dynamic-access-policy-record DfltAccessPolicy 
      no snmp-server location 
      no snmp-server contact 
      snmp-server enable traps snmp authentication linkup linkdown coldstart 
      crypto ipsec transform-set hbmtvpn esp-des esp-md5-hmac   
      crypto ipsec security-association lifetime seconds 28800 
      crypto ipsec security-association lifetime kilobytes 4608000 
      crypto map HBMTJM 20 match address HBMTDG-VPN 
      crypto map HBMTJM 20 set peer 116.6.209.250   
      crypto map HBMTJM 20 set transform-set hbmtvpn 
      crypto map HBMTJM 20 set security-association lifetime seconds 28800 
      crypto map HBMTJM 20 set security-association lifetime kilobytes 4608000 
      crypto map HBMTJM interface outside 
      crypto isakmp identity address   
      crypto isakmp enable outside 
      crypto isakmp policy 10 
       authentication pre-share 
       encryption des 
       hash md5 
       group 2 
        lifetime 28800 
      telnet timeout 5 
      ssh timeout 5 
      console timeout 0 
      threat-detection basic-threat 
      threat-detection statistics access-list 
      no threat-detection statistics tcp-intercept 
      tunnel-group 116.6.209.250 type ipsec-l2l 
      tunnel-group 116.6.209.250 ipsec-attributes 
       pre-shared-key * 

      ! 
      class-map inspection_default 
       match default-inspection-traffic 
      ! 
      ! 
      policy-map type inspect dns preset_dns_map 
       parameters 
         message-length maximum 512 
      policy-map global_policy 
        class inspection_default 
          inspect dns preset_dns_map    
          inspect FTP   
          inspect h323 h225   
          inspect h323 ras   
          inspect rsh   
          inspect rtsp   
          inspect esmtp   
          inspect sqlnet   
          inspect skinny     
          inspect sunrpc   
          inspect xdmcp   
          inspect sip     
          inspect NetBIOS   
          inspect FTP   
      ! 
      service-policy global_policy global 
      prompt hostname context   
      Cryptochecksum:a3c37b8c9eb30664a6ac0425ab0b0777 

    How to test this scenario

    • Try to ping an IP address from Site A to Site B or Vise Versa.

    Related Articles

    • Identical Access Rules for different users/user groups
    • Advanced Network Security eLearning Training Course
    • Network Security Essentials eLearning Training Course

    Categories

    • Firewalls > NSa Series > VPN
    • Firewalls > NSv Series > VPN
    • Firewalls > TZ Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top