I am trying to establish a VPN tunnel from my office to my client's office. On my end I have a Sonic Wall Pro 3060 running Enhanced OS. The other end has a Cisco 1841 advanced security. I've already established a tunnel between the client's two sites. They have Cisco routers on both sides and it's working great. The two peers in question authenticate and the tunnel comes up yet I can not access or even PING any resources on either end. I've actually done this before with the same model routers on each end and did have some trouble. I think the problem is on the Cisco router so I have pasted my config below. I'm leaning towards an ACL problem or a route map configuration issue. The tunnel in question is 2.2.2.2(for the sake of this post), ACL 101, crypto map SDM_CMAP_1 2 ipsec-isakmp. Any suggestions?
Current configuration : 2815 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! logging buffered 52000 debugging enable secret 5 $1$chQY$rq8aHlCi41IZlYeTJ.3wZ/ ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! !! username user privilege 15 secret 5 $1$DQTY$HRiH2zqdC4TVbHoQLY4ht/ ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 crypto isakmp key r(3%nLe2 address 1.1.1.1 crypto isakmp key dms2hapcgraysho100w address 2.2.2.2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-md5-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to 1.1.1.1 set peer 1.1.1.1 set transform-set ESP-3DES-SHA match address 100 crypto map SDM_CMAP_1 2 ipsec-isakmp description VPN Tunnel To DMS set peer 2.2.2.2 set transform-set ESP-3DES-SHA match address 101 ! ! ! interface FastEthernet0/0 description Inside Private Interface$ETH-LAN$ ip address 10.19.16.254 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 description WAN/Internet Interface To Nuvox T1$ETH-WAN$ ip address 3.3.3.3 255.255.255.252 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 ! interface Serial0/0/0 description Point-To-Point Circuit To New Iberia ip address 10.19.100.2 255.255.255.252 shutdown service-module t1 clock source internal ! ip classless ip route 0.0.0.0 0.0.0.0 4.4.4.4 ip route 10.19.16.0 255.255.255.0 10.19.100.1 ! ip http server no ip http secure-server ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload ip nat inside source static tcp 10.19.16.9 80 3.3.3.3 80 extendable ! access-list 100 permit ip 10.19.16.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 10.19.16.0 0.0.0.255 192.168.111.0 0.0.0.255 access-list 102 deny ip 10.19.16.0 0.0.0.255 192.168.111.0 0.0.0.255 access-list 110 deny ip 10.19.16.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 110 permit ip 10.19.16.0 0.0.0.255 any route-map SDM_RMAP_1 permit 1 match ip address 110 !!!
Glad it worked out for you. This particular ACL's purpose is to bypass NAT for the VPN traffic (denied through NAT), and permit all other traffic to be natted.
