Month: August 2018

Routing on SonicWall doesn’t work

Situation: the client created VLANs in their network and configured routing on SonicWall, but the routing doesn’t work and VoIP VLAN can’t access the Internet and data VLAN can’t access the VoIP VLAN.

Troubleshooting: The gateway they tried to add for the routing policy is using VLAN VoIP Ip address (192.169.20.1) on the switch instead of data VLAN IP address (192.168.16.64).


Since the default gateway is in the data VLAN (192.168.16.1), we create a new network object using switch data IP address (192.168.16.64) and replace the IP address 192.168.20.1. That fixes the problem

More details can be found this link: How to configure routing on SonicWall

How to configure routing on SonicWall

Situation: The client create two VLAN, VLAN 1 (192.168.16.0/24) for data and VLAN 30 (192.168.20.0/240 for VoIP. They  would like the VoIP access to the Internet and VLAN 1 can 1. Add VLAN 30 network to the Address Objects in SonicWALL by going to Network>Address Objects. Enter VLAN30 as Name, select LAN as Zone Assignment, Type=Network, Network=192.168.20.0, Netmask 255.255.255.0.

2. Address Objects in SonicWALL by going to Network>Address Objects. access VLAN 30. Enter Name (TopSW2 in our example), Zone Assignment (LAN=VLAN 1), Type (host, don’t put network here because this is for routing), IP address (192.168.16.64 which is VLAN 1  IP address for the switch. Don’t put VLAN 30 IP address here, otherwise the router doesn’t know to route the traffics).

3. Click Routing under network.

4. Click Add under Route Policies. Enter or select these info: Source=Any, Destination=VALN30, Service=Any, Gateway=TpSW2 (which we added above), Interface=X0 (which SonicWALL connecting to VLAN 1).

5. Click OK to save the configuration.

6. Test it.

VPN Client access second office in site to site VPN

The client has a site to site VPN connecting two offices. When owner uses VPN client establishing connection to one of office (OfficeA), he can’t RDP to the servers in second office (OfficeB). I assume we need to add NAT and access list, but don’t know how to do it. I know little about ASDM. Attached is the configuration file. Any help will be appreciated. This is configuration
name 172.31.31.0 inside-voice
name 10.100.1.0 anyconnect-network description anyconnect dhcp pool network
name 192.168.1.2 CallManager description Call Manager Express
ip local pool IPSEC_DHCP 192.168.200.100-192.168.200.200 mask 255.255.255.0
ip local pool anyconnect_pool 10.100.1.1-10.100.1.25 mask 255.255.255.0
access-list inside_access_in extended permit ip any4 any4
access-list inside_access_in extended permit icmp any4 any4
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.34.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.34.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 172.34.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object anyconnect-network
access-list remote_VPN extended permit ip 192.168.0.0 255.255.0.0 any4
access-list remote_VPN extended permit ip 172.31.0.0 255.255.0.0 any4
access-list remote_VPN extended permit ip 10.254.254.0 255.255.255.0 any4
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit ip any4 host x.x.2.138
access-list outside_access_in extended permit icmp any4 host x.x.2.138
access-list outside_access_in extended permit ip host x.x.193.56 any4
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group momentum_networks object CallManager
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-172.31.0.0 obj-172.31.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-172.31.0.0 obj-172.31.0.0 destination static obj-172.34.0.0 obj-172.34.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-172.34.0.0 obj-172.34.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static anyconnect-network anyconnect-network no-proxy-arp route-lookup
nat (inside,4G-LTE) source static CallManager interface service CME1 CME1
nat (inside,outside) source static CallManager interface service CME1 CME1
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.2.142 1 track 1
route 4G-LTE 0.0.0.0 0.0.0.0 192.168.101.1 254
route inside 10.254.254.0 255.255.255.0 CallManager 1
route inside inside-voice 255.255.255.0 CallManager 1
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer x.x.76.27
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint7
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn bobvpn.chicagotech.com
subject-name CN=bobvpn.ms-mvps.com,O=”chicagotech”,C=US,St=IL
keypair bobanyconnect
crl configure
crypto ca trustpoint ASDM_TrustPoint8
crl configure
crypto ca trustpoint ASDM_TrustPoint9
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint10
crl configure
crypto ca trustpoint ASDM_TrustPoint11
crl configure
crypto ca trustpoint ASDM_TrustPoint12
enrollment terminal
subject-name CN=chicagotech
keypair bobvpn.ms-mvps.com
crl configure
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto ikev1 policy 25
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65010
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647