SonicWALL Security Appliances and Cisco VPN 3000 Series Concentrators

Transcription

1 VPN Interoperability SonicWALL Security Appliances and Cisco VPN 3000 Series Concentrators Introduction This Tech Note details how to configure a working VPN tunnel between a SonicWALL security appliance running SonicOS and a Cisco 3000-series VPN Concentrator (3005, 3015, 3020, 3030, 3060). The following deployment scenarios are covered: 1. SonicOS Standard to Cisco, both sides have static WAN IP address 2. SonicOS Enhanced to Cisco, both sides have static WAN IP address 3. SonicOS Standard to Cisco, SonicWALL has dynamically-obtained WAN IP address For this Tech Note, a Cisco 3005 running firmware, a SonicWALL TZ 170 running SonicOS Standard , a SonicWALL PRO 2040 running SonicOS Enhanced , and a SonicWALL TZ 170 running SonicOS Standard were used to validate all settings and configuration documented in this Tech Note. For the first two deployment scenarios, bidirectional negotiation was successful; in the third, negotiation from the SonicWALL to the Cisco was successful. In all cases, the tunnels remained up and passed traffic through multiple SA renegotiations (testing time was 72 hours). Recommended Versions SonicOS Standard or newer SonicOS Enhanced or newer Cisco 3000-Series or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days. Customers with a valid Cisco SmartNET support contract can obtain firmware for the Cisco 3000-series devices from Cisco s support Website. Caveats Cisco and SonicWALL use incompatible methods of NAT Traversal, so this feature must be disabled on both sides. Cisco and SonicWALL use incompatible methods of IKE Dead Peer Detection, so this feature must be disabled on both sides. The LAN-to-LAN connector on the Cisco 3000-series does not accept fully-qualified domain names (FQDNs), nor does it accept as an entry. This means that you must explicitly enter the static WAN IP address of the remote SonicWALL device, so the DDNS feature in SonicOS cannot be used to specify the remote SonicWALL s WAN address. If the SonicWALL has a dynamically-obtained WAN IP address, you must configure the Cisco 3000-series s Base Group connector how to do so is covered in Scenario Three of this Tech Note. You cannot set the local or peer IKE ID s on the Cisco 3000-series device. You cannot specify Aggressive Mode when using the LAN-to-LAN connector on the Cisco 3000-series device. You cannot use the NetBIOS Broadcast feature of the SonicWALL security appliance across the VPN tunnel to the Cisco 3000-series device. You cannot use digital certificates during IKE negotiation between a Cisco 3000-series and SonicWALL device; only preshared key (PSK) is supported at this time. Use the keepalive feature on the SonicWALLs to keep the VPN tunnels permanently negotiated between both sides.

2 If you have multiple subnets on your internal network that devices behind the remote SonicWALL security appliances will need to be able to reach, you will need to do two things: (1) make sure to route the SonicWALL s LAN-side subnets to point to the LAN interface of the Cisco 3000-series device, as this device is often placed inline or on a DMZ of an existing firewall, and (2) make sure to include these subnets as remote destination networks when configuring the VPN settings of the SonicWALL device. How to do so is covered in Scenarios Two and Three of this document. If either side is behind a NAT device, and the SonicWALL is running SonicOS Enhanced, make sure to adjust the appropriate local/peer ID to that of the WAN address. SonicWALL security appliances do not support Cisco s Reverse Route Injection and Network AutoDiscovery features for VPN tunnels. Sample Network Diagram For All Three Deployment Scenarios Figure 1 Sample network for Cisco/SonicWALL VPN tunnel showing three deployment methods

3 Scenario One: SonicOS Standard to Cisco, both sides have static WAN IP address This deployment method shows how to set up a VPN tunnel between a SonicWALL security appliance running SonicOS Standard or newer and a Cisco VPN 3000 Series Concentrator running firmware or newer. Both sides have statically-assigned WAN IP addresses and are negotiating multiple subnets across the VPN tunnel. The Cisco has two subnets behind the LAN interface and the SonicWALL has one subnet behind the LAN interface (the OPT port is not active and not configured). Tasklist Enable VPN on SonicWALL (if it is not already) Disable NAT Traversal and IKE Dead Peer Detection on SonicWALL Create VPN tunnel to Cisco side on SonicWALL Create IKE entry to match SonicWALL settings on Cisco Create internal networks list on Cisco Disable NAT Traversal on Cisco Create VPN tunnel to SonicWALL side on Cisco Test VPN tunnel negotiation from each side Check each side s status screens for successful VPN tunnel negotiation Before You Begin As noted in the Recommended Versions section, SonicWALL recommends running SonicOS Standard or newer on the SonicWALL security appliance. On the Cisco VPN 3000 Series concentrator, it is recommended that you run firmware or newer, as some of the features detailed in this Tech Note were released with this version. For testing purposes, you may wish to place a management station or laptop behind the LAN interfaces of all sites. This will greatly aid successful testing/troubleshooting of the VPN configuration between the central and remote sites. Setup Steps SonicWALL Side 1. Log into the SonicWALL s management GUI, go to the VPN > Settings page, and make sure the checkbox next to Enable VPN is checked. 2. On the VPN > Advanced page, uncheck the boxes next to Enable NAT Traversal and Enable IKE Dead Peer Detection. Leave all other settings as-is. For an example, see Figure 2. Figure 2 SonicWALL VPN > Advanced settings page

4 3. On the VPN > Settings page, click on the Add button under the VPN Policies section. A pop-up window will appear. On this window s General tab, select IKE using Preshared Secret from the drop-down next to IPSec Keying Mode:, enter a name for the VPN tunnel in the field next to Name:, enter the Cisco s static WAN IP address or fully-qualified domain name (FQDN), and enter in a complex shared secret in the field next to Shared Secret: (remember this as you will need to enter this on the Cisco as well). Click on the Add button under Destination Networks and create entries for each subnet behind the Cisco. For an example, see Figure 3. Figure 3 VPN Settings General tab 4. Now click on the Proposals tab. For this Tech Note, we will be using the default settings of the SonicWALL, and adjusting the Cisco device to match. For an example, see Figure 4. Figure 4 VPN Settings Proposals tab

5 5. Now click on the Advanced tab. Check the boxes next to Enable Keep Alive and Try to bring up all possible Tunnels. Leave all other settings as-is. For an example, see Figure 5. Figure 5 VPN Settings Advanced tab 6. When done, click on the OK button to save and activate this VPN tunnel. In the next several steps, we ll configure the Cisco device, and then test VPN tunnel negotiation from both sides to ensure that both devices are configured correctly and traffic can successfully pass in both directions. Cisco Side 7. Log into the Cisco s management GUI. Go to the Configuration > Tunneling and Security > IPSec > NAT Transparency page and uncheck the boxes next to IPSec over TCP and IPSec over NAT-T. For an example, see Figure 6. Figure 6 Cisco NAT Transparency settings 8. Go to the Configuration > Tunneling and Security > IPSec > IKE Proposals page and click on the Add button. Create a proposal named sonicwall select Preshared Keys from the drop-down next to Authentication Mode, select SHA/HMAC-160 from the drop-down next to Authentication Algorithm, select 3DES-168 from the dropdown next to Encryption Algorithm, select Group 2 (1024-bits) from the drop-down next to Diffie-Hellman Group, select Time from the drop-down next to Lifetime Measurement, and enter in the field next to Time Lifetime. When done, click on the Apply button to save and activate this entry (NOTE: make sure to move this entry to the Active Proposals side of the IKE Proposals page). For an example, see Figure 7.

6 Figure 7 Cisco IKE Proposals page 9. Go to the Configuration > Policy Management > Traffic Management > Network Lists page and click on the Add button. Create a list named internal and populate it with the subnets behind the Cisco s LAN interface that the SonicWALL will need to access. Make sure to use wildcard masks and not subnet masks for all entries. When done, click on the Apply button to save and activate the entry. For an example, see Figure 8. Figure 8 Cisco Network Lists page 10. Go to the Configuration > Tunneling and Security > IPSec > LAN-to-LAN page and click on the Add button. On the page that appears, check the box next to Enable and give the entry a unique name in the field next to Name. Choose the Cisco s WAN interface from the drop-down next to Interface. Choose Bi-directional from the drop-down next to Connection Type. In the field next to Peers, enter in the static WAN IP address of the SonicWALL security appliance (as noted previously, you can only enter a static IP address and not a FQDN or ). Choose None (Use Preshared Keys from the drop-down next to Digital Certificate. Enter the complex preshared key you created in Step 3 in the field next to Preshared Key. Choose ESP/SHA/HMAC-160 from the drop-down next to Authentication. Choose 3DES-168 from the drop-down next to Encryption. Choose sonicwall from the drop-down next to IKE Proposal. Leave the settings for Filter, IPSec NAT-T, Bandwidth Policy, and Routing as-is. For an example, see Figure 9.

7 Figure 9 Cisco LAN-to-LAN page 11. On this same page, select internal from the drop-down next to the Local Network s Network List (or, whatever you named it when you created it in a previous step). In the field next to IP address under Remote Network, enter in the SonicWALL s LAN IP subnet, and enter its subnet in the field next to Wildcard Mask. When done, click on the Add button to save and activate this VPN tunnel. For an example, see Figure 10 below. Figure 10 Cisco LAN-to-LAN page, continued Testing/Troubleshooting From the management station on the Cisco side, attempt to ping the management station on the SonicWALL side. If not successful, review all steps above to ensure that the devices have been configured correctly. Once the tunnel is up successfully, log into the management GUIs of both devices. On the SonicWALL, go to the VPN > Settings page you should see all subnets successfully negotiated under the Currently Active VPN Tunnels section of the page. On the Cisco, go to the Monitoring > Sessions page you should see the LAN-to-LAN session enabled and active. For examples, see Figures 11 and 12.

8 Figure 11 SonicWALL VPN status page showing active tunnels Figure 12 Cisco VPN status page showing active tunnels

9 Scenario Two: SonicOS Enhanced to Cisco, both sides have static WAN IP address This deployment method shows how to set up a VPN tunnel between a SonicWALL security appliance running SonicOS Enhanced or newer and a Cisco VPN 3000 Series Concentrator running firmware or newer. Both sides have statically-assigned WAN IP addresses and are negotiating multiple subnets across the VPN tunnel. The Cisco has two subnets behind the LAN interface and the SonicWALL has two subnets (one behind the LAN interface and one behind the DMZ interface). Tasklist Enable VPN on SonicWALL (if it s not already) Disable NAT Traversal and IKE Dead Peer Detection on SonicWALL Create Address Objects for Cisco-side subnets on SonicWALL Create Address Group with Cisco-side subnets on SonicWALL Create VPN tunnel to Cisco side on SonicWALL Create IKE entry to match SonicWALL settings on Cisco Create internal/external networks lists on Cisco Disable NAT Traversal on Cisco Create VPN tunnel to SonicWALL side on Cisco Test VPN tunnel negotiation from each side Check each side s status screens for successful VPN tunnel negotiation Before You Begin As noted in the Recommended Versions section, SonicWALL recommends running SonicOS Enhanced or newer on the SonicWALL security appliance. On the Cisco VPN 3000 Series concentrator, it is recommended that you run firmware or newer, as some of the features detailed in this document were released with this version. For testing purposes, you may wish to place a management station or laptop behind the LAN interfaces of all sites. This will greatly aid successful testing/troubleshooting of the VPN configuration between the central and remote sites. Setup Steps SonicWALL Side 1. Log into the SonicWALL s management GUI, go to the VPN > Settings page, and make sure the checkbox next to Enable VPN is checked. 2. On the VPN > Advanced page, uncheck the boxes next to Enable IKE Dead Peer Detection and Enable NAT Traversal. Leave all other settings as-is. For an example, see Figure 13.

10 Figure 13 SonicWALL VPN > Advanced settings 3. On the Network > Address Objects page, go to the bottom of the page and click on the Add button. Create two address objects, one for each subnet behind the Cisco, and name them cisco_subnet_one and cisco_subnet_two. For both objects, select VPN from the drop-down next to Zone Assignment:, and select Network from the drop-down next to Type:. In the fields next to Network: and Mask:, enter the subnet and mask information for the two subnets behind the Cisco. When done, click on the OK button to save and activate the entries. For an example, see Figure 14. Figure 14 SonicWALL Network > Address Objects for Cisco subnets 4. On the Network > Address Objects page, go to the top of the page and click on the Add Group button. In the field next to Name:, enter cisco_subnets. From the pane on the left, move cisco_subnet_one and cisco_subnet_two to the right pane. When done, click on the OK button to save and activate the group. For an example, see Figure 15.

11 Figure 15 SonicWALL Network > Address Objects group for Cisco subnets 5. On the VPN > Settings page, click on the Add button under the VPN Policies section. A pop-up window will appear. On this window s General tab, select IKE using Preshared Secret from the drop-down next to IPSec Keying Mode:, enter a name for the VPN tunnel in the field next to Name:, enter the Cisco s static WAN IP address or fully-qualified domain name (FQDN), and enter in a complex shared secret in the field next to Shared Secret: (remember this as you will need to enter this on the Cisco as well). Leave all other settings as-is. For an example, see Figure 16. Figure 16 SonicWALL VPN General tab 6. Now click on the Network tab. From the drop-down next to Choose local network from list, select Firewalled Subnets. From the drop-down next to Choose destination network from list, select cisco_subnets. For an example, see Figure 17.

12 Figure 17 SonicWALL VPN Network tab 7. Now click on the Proposals tab. For this Tech Note, we will be using the default settings of the SonicWALL, and adjusting the Cisco device to match. For an example, see Figure 18. Figure 18 SonicWALL VPN Proposals tab 8. Now click on the Advanced tab. Check the boxes next to Enable Keep Alive. Check the boxes next to HTTP and HTTPS next to Management via this SA. Leave all other settings as-is. For an example, see Figure 19.

13 Figure 19 SonicWALL VPN Advanced tab 9. When done, click on the OK button to save and activate this VPN tunnel. In the next several steps, we ll configure the Cisco device, and then test VPN tunnel negotiation from both sides to ensure that both devices are configured correctly and traffic can successfully pass in both directions. Cisco Side 10. Log into the Cisco s management GUI. Go to the Configuration > Tunneling and Security > IPSec > NAT Transparency page and uncheck the boxes next to IPSec over TCP and IPSec over NAT-T. For an example, see Figure 20. Figure 20 Cisco NAT Transparency page 11. Go to the Configuration > Tunneling and Security > IPSec > IKE Proposals page and click on the Add button. Create a proposal named sonicwall select Preshared Keys from the drop-down next to Authentication Mode, select SHA/HMAC-160 from the drop-down next to Authentication Algorithm, select 3DES-168 from the dropdown next to Encryption Algorithm, select Group 2 (1024-bits) from the drop-down next to Diffie-Hellman Group, select Time from the drop-down next to Lifetime Measurement, and enter in the field next to Time Lifetime. When done, click on the Apply button to save and activate this entry (NOTE: make sure to move this entry to the Active Proposals side of the IKE Proposals page). For an example, see Figure 21.

14 Figure 21 Cisco IKE Proposals page 12. Go to the Configuration > Policy Management > Traffic Management > Network Lists page and click on the Add button. Create a list named internal and populate it with the subnets behind the Cisco s LAN interface that the SonicWALL will need to access. Make sure to use wildcard masks and not subnet masks for all entries. When done, click on the Apply button to save and activate the entry. For an example, see Figure 22. Figure 22 Cisco Network Lists page 13. Go to the Configuration > Policy Management > Traffic Management > Network Lists page and click on the Add button. Create a list named pro2040_subnets and populate it with the subnets behind the SonicWALL that the Cisco will need to access. Make sure to use wildcard masks and not subnet masks for all entries. When done, click on the Apply button to save and activate the entry. For an example, see Figure 23.

15 Figure 23 Cisco Network Lists page 14. Go to the Configuration > Tunneling and Security > IPSec > LAN-to-LAN page and click on the Add button. On the page that appears, check the box next to Enable and give the entry a unique name in the field next to Name. Choose the Cisco s WAN interface from the drop-down next to Interface. Choose Bi-directional from the drop-down next to Connection Type. In the field next to Peers, enter in the static WAN IP address of the SonicWALL security appliance (as noted previously, you can only enter a static IP address and not a FQDN or ). Choose None (Use Preshared Keys from the drop-down next to Digital Certificate. Enter the complex preshared key you created in Step 3 in the field next to Preshared Key. Choose ESP/SHA/HMAC-160 from the drop-down next to Authentication. Choose 3DES-168 from the drop-down next to Encryption. Choose sonicwall from the drop-down next to IKE Proposal. Leave the settings for Filter, IPSec NAT-T, Bandwidth Policy, and Routing as-is. For an example, see Figure 24. Figure 24 Cisco LAN-to-LAN page 15. On this same page, select internal from the drop-down next to the Local Network s Network List (or, whatever you named it when you created it in a previous step). In the field next to IP address under Remote Network, enter in the SonicWALL s LAN IP subnet, and enter its subnet in the field next to Wildcard Mask. When done, click on the Add button to save and activate this VPN tunnel. For an example, see Figure 25.

16 Figure 25 - Cisco LAN-to-LAN page, continued Testing/Troubleshooting From the management station on the Cisco side, attempt to ping the management station on the SonicWALL side. If not successful, review all steps above to ensure that the devices have been configured correctly. Once the tunnel is up successfully, log into the management GUIs of both devices. On the SonicWALL, go to the VPN > Settings page you should see all subnets successfully negotiated under the Currently Active VPN Tunnels section of the page. On the Cisco, go to the Monitoring > Sessions page you should see the LAN-to-LAN session enabled and active. For examples, see Figures 26 and 27. Figure 26 SonicWALL VPN status page showing active VPN tunnels Figure 27 Cisco VPN status page showing active VPN tunnels

17 Scenario Three: SonicOS Standard to Cisco, SonicWALL has dynamic WAN IP address This deployment method shows how to set up a VPN tunnel between a SonicWALL security appliance running SonicOS Standard or newer and a Cisco VPN 3000 Series Concentrator running firmware or newer. In this scenario, the SonicWALL security appliance has a dynamic WAN IP address (via DHCP, PPPoE, L2TP, PPTP). As noted, the LANto-LAN connector in the Cisco VPN 3000 Concentrator cannot be configured with a FQDN or a ; because of this, it is not possible to set up a LAN-to-LAN connection with a remote device whose WAN IP address changes on a frequent basis. It is also not possible to initiate a VPN tunnel from the Cisco device to any remote device whose WAN IP address is obtained dynamically. The Cisco must be configured to accept the remote device s incoming VPN connections through the Base Group connector, which is normally used to accept incoming Cisco VPN Client connections. The following section will detail how to do so. Both sides are negotiating multiple subnets across the VPN tunnel. The Cisco has two subnets behind the LAN interface and the SonicWALL has two subnets (one behind the LAN interface and one behind the OPT interface). Tasklist Enable VPN on SonicWALL (if it s not already) Disable NAT Traversal and IKE Dead Peer Detection on SonicWALL Create VPN tunnel to Cisco side on SonicWALL Create IKE entry to match SonicWALL settings on Cisco Create SA entry on Cisco Create internal networks list on Cisco Disable NAT Traversal on Cisco Create VPN tunnel to SonicWALL side on Cisco via Base Group Test VPN tunnel negotiation from each side Check each side s status screens for successful VPN tunnel negotiation Before You Begin As noted in the Recommended Versions section, SonicWALL recommends running SonicOS Standard or newer on the SonicWALL security appliance. On the Cisco VPN 3000 Series concentrator, it is recommended that you run firmware or newer, as some of the features detailed in this Tech Note were released with this version. For testing purposes, you may wish to place a management station or laptop behind the LAN interfaces of all sites. This will greatly aid successful testing/troubleshooting of the VPN configuration between the central and remote sites. Setup Steps SonicWALL Side 1. Log into the SonicWALL s management GUI, go to the VPN > Settings page, and make sure the checkbox next to Enable VPN is checked. 2. On the VPN > Advanced page, uncheck the boxes next to Enable IKE Dead Peer Detection and Enable NAT Traversal. Leave all other settings as-is. For an example, see Figure 28.

18 Figure 28 SonicWALL VPN > Advanced settings 3. On the VPN > Settings page, click on the Add button under the VPN Policies section. A pop-up window will appear. On this window s General tab, select IKE using Preshared Secret from the drop-down next to IPSec Keying Mode:, enter a name for the VPN tunnel in the field next to Name:, enter the Cisco s static WAN IP address or fully-qualified domain name (FQDN), and enter in a complex shared secret in the field next to Shared Secret: (remember this as you will need to enter this on the Cisco as well). Click on the Add button under Destination Networks and create entries for each subnet behind the Cisco. For an example, see Figure 29. Figure 29 SonicWALL VPN General tab 4. Now click on the Proposals tab. For this Tech Note, we will be using the default settings of the SonicWALL, and adjusting the Cisco device to match. For an example, see Figure 30.

19 Figure 30 SonicWALL VPN Proposals tab 5. Now click on the Advanced tab. Check the boxes next to Enable Keep Alive and Try to bring up all possible Tunnels. Select the radio button next to LAN/OPT under the VPN Terminated At: section. Leave all other settings as-is. For an example, see Figure 31. Figure 31 SonicWALL Advanced tab 6. When done, click on the OK button to save and activate this VPN tunnel. In the next several steps, we ll configure the Cisco device, and then test VPN tunnel negotiation from both sides to ensure that both devices are configured correctly and traffic can successfully pass in both directions.

20 Cisco Side 7. Log into the Cisco s management GUI. Go to the Configuration > Tunneling and Security > IPSec > NAT Transparency page and uncheck the boxes next to IPSec over TCP and IPSec over NAT-T. For an example, see Figure 32. Figure 32 Cisco NAT Transparency page 8. Go to the Configuration > Tunneling and Security > IPSec > IKE Proposals page and click on the Add button. Create a proposal named sonicwall select Preshared Keys from the drop-down next to Authentication Mode, select SHA/HMAC-160 from the drop-down next to Authentication Algorithm, select 3DES-168 from the dropdown next to Encryption Algorithm, select Group 2 (1024-bits) from the drop-down next to Diffie-Hellman Group, select Time from the drop-down next to Lifetime Measurement, and enter in the field next to Time Lifetime. When done, click on the Apply button to save and activate this entry (NOTE: make sure to move this entry to the Active Proposals side of the IKE Proposals page). For an example, see Figure 33. Figure 33 Cisco IKE Proposals page

21 9. Go to the Configuration > Policy Management > Traffic Management > Security Associations page and click on the Add button. Create a SA named sonicwall select From Rule from the drop-down next to Inheritance, select ESP/SHA/HMAC-160 from the drop-down next to Authentication Algorithm, select 3DES-168 from the drop-down next to Encapsulation Mode, select Disabled from the drop-down next to Perfect Forward Secrecy, select Time from the drop-down next to Lifetime Measurement, enter in the field next to Time Lifetime, and select sonicwall from the drop-down next to IKE Proposal. Leave all other settings as-is. When you are done, click on the Apply button to save and activate the SA. For an example, see Figure 34. Figure 34 Cisco Security Associations page 10. Go to the Configuration > Policy Management > Traffic Management > Network Lists page and click on the Add button. Create a list named internal and populate it with the subnets behind the Cisco s LAN interface that the SonicWALL will need to access. Make sure to use wildcard masks and not subnet masks for all entries. When done, click on the Apply button to save and activate the entry. For an example, see Figure 35.

22 Figure 35 Cisco Network Lists page 11. Go to the Configuration > User Management > Base Group page. On the General tab, make sure the box next to IPSec in the Tunnelling Protocols section is checked. Leave all other settings as-is. For an example, see Figure 36. Figure 36 Cisco Base Group General tab 12. Click on the IPSec tab. Select sonicwall from the drop-down next to IPSec SA. Select Do not check from the drop-down next to IKE Peer Identity Validation. Uncheck the box next to IKE Keepalive. Select Remote Access from the drop-down next to Tunnel Type. Select None from the drop-down next to Authentication. Select None from the drop-down next to Authorization. Uncheck the box next to Authorization Required. Select None from the drop-down next to IPComp. Enter the complex preshared key you entered on the SonicWALL in the field next to Default Preshared Key. Uncheck the box next to Reauthentication on Rekey. Uncheck the box next to Mode Configuration. Leave all other settings as-is. For an example, see Figure 37.

23 Figure 37 Cisco Base Group IPSec tab 13. Click on the Client Config tab. At the bottom of this tab, select the radio button next to Only tunnel networks in this list, and select internal from the drop-down next to Split Tunnelling Network List. Leave all other settings on this tab as-is. When done, click on the Apply button to save and activate the changes. For an example, see Figure 38. Figure 38 - Cisco Base Group Client Config tab

24 Testing/Troubleshooting From the management station on the SonicWALL side, attempt to ping the management station on the Cisco side. If not successful, review all steps above to ensure that the devices have been configured correctly. Once the tunnel is up successfully, log into the management GUIs of both devices. On the SonicWALL, go to the VPN > Settings page you should see all subnets successfully negotiated under the Currently Active VPN Tunnels section of the page. On the Cisco, go to the Monitoring > Sessions page you should see the Remote Access Session enabled and active. For examples, see Figures 39 and 40. Figure 39 SonicWALL VPN status page showing active VPN tunnels Figure 40 Cisco VPN status page showing active VPN tunnels Created: 05/17/2005 Updated: 05/20/2005 Version 1.1