Site to Site IPSec VPN setup between SonicWall and Cisco ASA firewall

03/26/2020 234 39918

DESCRIPTION:

When configuring a Site-to-Site VPN tunnel in SonicOS Enhanced firmware using Main Mode both the SonicWall appliances and Cisco ASA firewall (Site A and Site B) must have a routable Static WAN IP address. 

Network Setup

Deployment Steps

• Creating Address Objects for VPN subnets
• Configuring a VPN policy on Site A SonicWall
• Configuring a VPN policy on Site B Cisco ASA
• How to test this scenario

RESOLUTION:

Creating Address Objects for VPN subnets

1. Login to the SonicWall management Interface.
2. Navigate to Manage | Policies | Objects | Address Objects, click ADD button.
3. Configure the address objects as mentioned in the figure above, click Add and click Close when finished. 
   
   

Configuring a VPN policy on Site A SonicWall

1. Navigate to Manage | Connectivity | VPN | Base Settings page. Click Add . The VPN Policy window is displayed.
2. Click General tab.
   
   
   1. 
      
   • Select IKE using Preshared Secret from the Authentication Method menu.
   • Enter a name for the policy in the Name field.
   • Enter the WAN IP address of the remote connection in the IPSec Primary GatewayName or Address field (Enter Site B's WAN IP address).
   • Enter a Shared Secret password to be used to setup the Security Association the Shared Secret and confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
3. Click Network tab.
   
   
   
   
   • Under Local Networks, select a local network from Choose local network from list: and select the address object HBMTLAN_10.9.0.0 (LAN Subnet).
   • Under Remote Networks, select Choose destination network from list: and select the address object HBMTJM (Site B network).
4. Click Proposals tab.Keep this page as default.
   
   
   
5. Click Advanced tab.

• Select Enable Keep Alive.
  
  
  

Configuring a VPN policy on Site B Cisco ASA

• Cisco ASA configuration listed as below(lines marked red are vpn tunnel related).
  ASA Version 8.2(1)   
  ! 
  hostname HBMTJM 
  ! 
  interface Ethernet0/0 
   nameif outside 
    security-level 0 
    ip address 121.12.156.162 255.255.255.248   
  ! 
  interface Ethernet0/1 
   nameif inside 
    security-level 100 
    ip address 192.168.1.254 255.255.255.0   
  ! 
  FTP mode passive 
  dns domain-lookup outside 
  dns domain-lookup inside 
  dns server-group DefaultDNS 
   name-server 202.96.128.86 
   name-server 202.96.128.166 
  access-list HBMTDG-VPN extended permit ip 192.168.0.0 255.255.0.0 10.9.0.0 
  255.255.0.0   
  pager lines 24 
  logging console warnings 
  mtu outside 1500 
  mtu inside 1500 
  icmp unreachable rate-limit 1 burst-size 1 
  no asdm history enable 
  arp timeout 14400 
  global (outside) 1 interface 
  nat (inside) 0 access-list HBMTDG-VPN 
nat (inside) 1 192.168.1.0 255.255.255.0 
  route outside 0.0.0.0 0.0.0.0 121.12.156.161 1 
  timeout xlate 3:00:00 
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 
  0:05:00 
  timeout  sip  0:30:00  sip_media  0:02:00  sip-invite  0:03:00  sip-disconnect  
  0:02:00 
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 
  timeout tcp-proxy-reassembly 0:01:00 
  dynamic-access-policy-record DfltAccessPolicy 
  no snmp-server location 
  no snmp-server contact 
  snmp-server enable traps snmp authentication linkup linkdown coldstart 
  crypto ipsec transform-set hbmtvpn esp-des esp-md5-hmac   
crypto ipsec security-association lifetime seconds 28800 
crypto ipsec security-association lifetime kilobytes 4608000 
crypto map HBMTJM 20 match address HBMTDG-VPN 
crypto map HBMTJM 20 set peer 116.6.209.250   
crypto map HBMTJM 20 set transform-set hbmtvpn 
crypto map HBMTJM 20 set security-association lifetime seconds 28800 
crypto map HBMTJM 20 set security-association lifetime kilobytes 4608000 
crypto map HBMTJM interface outside 
crypto isakmp identity address   
crypto isakmp enable outside 
crypto isakmp policy 10 
 authentication pre-share 
 encryption des 
 hash md5 
 group 2 
  lifetime 28800 
telnet timeout 5 
ssh timeout 5 
console timeout 0 
threat-detection basic-threat 
threat-detection statistics access-list 
no threat-detection statistics tcp-intercept 
tunnel-group 116.6.209.250 type ipsec-l2l 
tunnel-group 116.6.209.250 ipsec-attributes 
 pre-shared-key * 
  ! 
  class-map inspection_default 
   match default-inspection-traffic 
  ! 
  ! 
  policy-map type inspect dns preset_dns_map 
   parameters 
     message-length maximum 512 
  policy-map global_policy 
    class inspection_default 
      inspect dns preset_dns_map    
      inspect FTP   
      inspect h323 h225   
      inspect h323 ras   
      inspect rsh   
      inspect rtsp   
      inspect esmtp   
      inspect sqlnet   
      inspect skinny     
      inspect sunrpc   
      inspect xdmcp   
      inspect sip     
      inspect NetBIOS   
      inspect FTP   
  ! 
  service-policy global_policy global 
  prompt hostname context   
  Cryptochecksum:a3c37b8c9eb30664a6ac0425ab0b0777 
  
  

How to test this scenario

• Try to ping an IP address from Site A to Site B or Vise Versa.