![](/uploads/1/2/5/7/125743653/613170945.jpeg)
I configured a static Site-to-Site IPsec VPN tunnel between the Cisco ASA firewall and the Palo Alto next generation firewall.If the same phase 1 & 2 parameters are used and the correct Proxy IDs are entered, the VPN works without any problems though the ASA uses a policy-based VPN while the PA implements a route-based VPN.
We have a Cisco ASA providing multiple site tunnels to our clients. Most of our employees use standard VPN client connections to the ASA.
However, we also want to allow employees who have a static connection or multiple PCs to use a site tunnel.
How can we allow traffic from Employee1thruX <-> Cisco ASA <-> All Customer Tunnels, whilst not allowing CustomerA Tunnel <-> Cisco ASA <-> CustomerB Tunnel?
ChromablueChromablue
1 Answer
Something along these lines -
192.168.168.0/24
seems a bit smallish; if you need to, then make an object-group for them too.![Site-to-site Site-to-site](/uploads/1/2/5/7/125743653/415854586.jpg)
And if you have any NAT whatsoever going on, which you probably do since you're using RFC1918 ranges, you need NAT exemptions all around, matching all the traffic in your crypto ACLs.
Of course, you'll need to configure the remote VPN endpoint at the employee's location to have the client networks as a remote network, matching the crypto ACL for the site-to-site connection to them.
Shane Madden♦Shane Madden105k99 gold badges150150 silver badges225225 bronze badges
Not the answer you're looking for? Browse other questions tagged vpnciscorouting or ask your own question.
Posted byCCNA3 years ago
Archived
Title is basically it. I have several Sonicwalls set up using the Site-to-Site configuration which is very simple, but doesn't allow for 'Advanced' routing to work across it, which would really improve our connectivity. I am wondering if I can set up the tunnel interface at the same time as the site-to-site config is active, or if I have to disable the site-to-site stuff first. Tunnel interface configuration is well documented on the webs, so I'm not worried about that, just wondering if I can run both at the same time or not.
Secondarily, I have two WAN connections at each location, so would I need to create to VPN policies for each possible connection?
Example:
Site A has WAN Primary IP of 1.1.1.1
Site A has WAN Backup IP of 2.2.2.2
Site B has WAN Primary IP of 3.3.3.3
Site B has WAN Backup IP of 4.4.4.4
Should I create four tunnel interfaces on each Sonicwall? That is:
1.1.1.1 -> 3.3.3.3 (metric = 1)
1.1.1.1 -> 4.4.4.4 (metric = 3)
2.2.2.2 -> 3.3.3.3 (metric = 2)
2.2.2.2 -> 4.4.4.4 (metric = 4)
Then I could add each Tunnel interface to OSPF. At that point I'm thinking I would need to define a metric for each interface which appears to default as Undefined when you active OSPF on an interface, which I put in parentheses as how I might define them. There is also a Router Priority, but I guessing that is referring to Designated Router status, which I'm not worried about. If I don't need to create 4 tunnel interfaces is there a section to specify backup IP? I only noticed a field for Primary IP.
The goal here is to share the routes of each Sonicwall's local subnets across the VPN dynamically. Using the Site-to-Site configuration 'works,' but whenever I add a new subnet I have to make sure that the network is added as an address object and then added to the VPN policy. That in and of itself isn't so bad, but I have a few subnets that are part of the VPN policy on both sides but aren't routing across the link (or rather, aren't routing from all sites, it's only partial). Further, I don't like how routes that are originating over the VPN don't show up under the Route Policies on the Network->Routing page.
If anyone knows a way to show the entire Sonicwall routing table under one consolidated view, that would be great.
Thanks
7 comments
![](/uploads/1/2/5/7/125743653/613170945.jpeg)