Solved

Cisco 1841 to Sonicwall Pro2040 VPN Up No Traffic

Posted on 2010-09-16
7
779 Views
Last Modified: 2012-05-10
Trying to setup a site-to-site VPN with one of my remote offices on a DSL connection. I know the problem is with my ACL's but I'm not sure what it is exactly.

I setup the DSL and the NAT translation for that first, then I setup the VPN tunnel.  The tunnel comes up but I'm not getting traffic across it.

Router#show run
Current configuration : 2164 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging console emergencies
enable secret 5 $1$NHfi$kiyscStTnYcpm6sRcucNV.
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool kearny
   network 10.0.10.0 255.255.255.0
   default-router 10.0.10.1
   dns-server 8.8.8.8 8.8.4.4
   lease infinite
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key $up34$3c437 address 24.116.210.138
no crypto isakmp ccm
!
!
crypto ipsec transform-set sonicwall esp-3des esp-md5-hmac
!
crypto map sonicwallmap 10 ipsec-isakmp
 description vpn tunnell to sonicwall
 set peer 24.116.210.138
 set security-association lifetime seconds 86400
 set transform-set sonicwall
 match address 120
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 no ip virtual-reassembly
 duplex auto
 speed auto
 crypto map sonicwallmap
!
interface FastEthernet0/1
 ip address 10.0.10.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
 duplex auto
 speed auto
!
ip classless
ip route 128.1.0.0 255.255.0.0 24.116.210.138
!
!
ip http server
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source route-map blocknat interface FastEthernet0/0 overload
!
access-list 102 permit ip 10.0.10.0 0.0.0.255 any
access-list 120 permit ip 10.0.10.0 0.0.0.255 128.1.0.0 0.0.255.255
access-list 120 permit ip 10.0.10.0 0.0.0.255 149.98.213.0 0.0.0.255
access-list 135 deny   ip 10.0.10.0 0.0.0.255 128.1.0.0 0.0.255.255
access-list 135 deny   ip 10.0.10.0 0.0.0.255 149.98.213.0 0.0.0.255
access-list 135 permit ip 192.168.20.0 0.0.0.255 any
!
route-map blocknat permit 10
 match ip address 135
!
!
!
!
control-plane


Router#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 24.116.210.138 port 500
  IKE SA: local 67.60.126.82/500 remote 24.116.210.138/500 Active
  IPSEC FLOW: permit ip 10.0.10.0/255.255.255.0 128.1.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 10.0.10.0/255.255.255.0 149.98.213.0/255.255.255.0
        Active SAs: 2, origin: crypto map

All help is greatly appreciated.
0
Comment
Question by:cvchadmin
  • 3
  • 2
7 Comments
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33705868
Hi - I haven't ever tried to do this with the route-map to block except for if you are trying to static nat a single (or collection) or remote hosts to IPs on your local network. However I have set up tunnels with just the acl. I am also pretty suspicious about the route statement. Try this (from configure mode):

no ip route 128.1.0.0 255.255.0.0 24.116.210.138
(try only this first and test - if it still isn't fixed continue with the rest)

no ip nat inside source route-map blocknat interface FastEthernet0/0 overload
no access-list 102 permit ip 10.0.10.0 0.0.0.255 any

access-list 102 deny ip 10.0.10.0 0.0.0.255 128.1.0.0 0.0.255.255
access-list 102 deny ip 10.0.10.0 0.0.0.255 149.98.213.0 0.0.0.255
access-list 102 permit ip 10.0.10.0 0.0.0.255 any

Try the no ip route 128.1.0.0 255.255.0.0 24.116.210.138 command first and test your connectivity - you really shouldn't need that because the 128.1.0.0 network will be "connected" when the tunnel comes up. The match address 120 tells IOS that the traffic needs to over the tunnel and the peer is also defined in the crypto. I have an idea the route statement is just trying to route your traffic that should go over the tunnel directly to the peer interface outside of the tunnel. If that fixes it stop there, if not try the rest.

Just leave the acl 135 and route-map there for now, they just won't be referenced. If this fixes it you can delete them.

Good Luck
0
 

Author Comment

by:cvchadmin
ID: 33728650
Hi sorry for the delay, I made the changes you suggested.

Removing the ip route did not help
Removing and adding the other access-lists didn't do it either.

The 128 network does not show up in my routing table at all currently.

Router#ping 128.1.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.1.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 72.24.3.1 to network 0.0.0.0

     24.0.0.0/32 is subnetted, 1 subnets
S       24.116.2.136 [254/0] via 72.24.3.1, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.10.0 is directly connected, FastEthernet0/1
     72.0.0.0/24 is subnetted, 1 subnets
C       72.24.3.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [254/0] via 72.24.3.1
Router#
0
 

Author Closing Comment

by:cvchadmin
ID: 33730543
Just took a minute for the routing to come up, there is still no entry in show ip route but it is working now.

I still don't quite understand how those ACL's tell the traffic to go over the tunnel.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33731505
102 is source list for the nat - we are denying traffic that should go over the tunnel, then allowing everything else to be natted.

notice the denys are the same as the 120 permits, where the match 120 in the crypto block tells the router that is the interesting traffic. the router won't bring up the tunnel until it sees "interesting" traffic.

Glad you got it going
0
 

Author Comment

by:cvchadmin
ID: 33735269
Ahah, now it makes sense.

Thank you sir!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now