VPN Configuration - Cisco SR520 and Sonicwall TZ-170

I have a Cisco SR520 router that I need to get a VPN Connection up to a Sonicwall TZ-170.  I will attach as much info as possible.  The VPN in the Sonicwall shows to be up and going.  I can not ping through to the private side of either network.  I am very limited with the Cisco but I can get any information that may be requested.  Here is the Cisco config.  I will also try and attach a picture or two of the Sonicwall layout.

BHTower# sh run
Building configuration...
 
Current configuration : 4480 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BHTower
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$Q.l7$alxBVnRehPLzDu2lHu.wK.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone CST -6
!
crypto pki trustpoint TP-self-signed-2637008454
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2637008454
 revocation-check none
 rsakeypair TP-self-signed-2637008454
!
!
crypto pki certificate chain TP-self-signed-2637008454
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363337 30303834 3534301E 170D3131 30343037 31353537
  31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36333730
  30383435 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C313 5727481F 3523F753 AC4D90A0 5AD18D34 0BF57929 72AA1006 344E0B18
  7AA5A38D 090056B9 97E0036E EA0994F0 3CD8F58B D3BB4259 0CD2E7EB 33D1A117
  5A78BB43 D2710A19 5D1595A4 43142E9B 5FD759F7 0B096D94 111E9B6C 1B029C24
  913B4DFB 36E675DC 76281E89 BDEAAB9A 9587B4EF 659FD81B 621654A0 929C999A
  8D130203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
  551D1104 16301482 12424854 6F776572 2E696D73 6461792E 636F6D30 1F060355
  1D230418 30168014 9BF42D5A EFD8A258 8299B732 3F9829C9 D866D532 301D0603
  551D0E04 1604149B F42D5AEF D8A25882 99B7323F 9829C9D8 66D53230 0D06092A
  864886F7 0D010104 05000381 81000AE5 A7A61C95 C0B33417 A91D8264 5AD1EB05
  6C6D5950 DEE8CEF2 D1DC9B34 1AAB3D90 4E2FFA27 C2730847 C847BB67 D9F49651
  6AF02354 0529A040 F14DDC17 E0E4582C 5D79419F 147D51B8 CB85B432 E78BEEAD
  91174B82 6F149134 36ABCBB4 FD7E8C2F 32F92894 9E8F994E 10BC2877 7B2B9D29
  AE55DA92 ED2920DA E4A8DC07 A8D4
        quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.100.120.1 10.100.120.99
!
ip dhcp pool inside
   import all
   network 10.100.120.0 255.255.255.0
   default-router 10.100.120.1
   domain-name imsday.com
   dns-server 74.81.134.20 74.81.134.40
!
!
ip cef
no ip domain lookup
ip domain name imsday.com
ip name-server 74.81.134.20
ip name-server 74.81.134.40
!
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
!
!
username admin privilege 15 secret 5 $1$e4aG$T8s0PFgasnFhv4Z5SJ3td/
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 3600
crypto isakmp key 6 [YITTKCMfMBcROLgZbFY]HDLVGdPPDZZOeKR_AC address 74.81.130.20
0
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map tosonicwall 1 ipsec-isakmp
 set peer 74.81.130.200
 set transform-set strong
 match address 101
!
archive
 log config
  logging enable
  logging size 600
  hidekeys
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 75
!
interface FastEthernet1
 switchport access vlan 75
!
interface FastEthernet2
 switchport access vlan 75
!
interface FastEthernet3
 switchport access vlan 75
!
interface FastEthernet4
 ip address 74.81.130.201 255.255.255.0 secondary
 ip address 74.81.130.202 255.255.255.0 secondary
 ip address 74.81.130.253 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map tosonicwall
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan75
 ip address 10.100.120.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 74.81.130.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool someips 74.81.130.201 74.81.130.202 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 10.100.120.3 74.81.130.201
ip nat inside source static tcp 10.100.120.2 80 74.81.130.253 80 extendable
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.100.120.0 0.0.0.255
access-list 101 permit ip 10.100.120.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
end
 
 Sonicwall Log Sonicwall VPN Settings
rmecheAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

3nerdsCommented:
I am not sure about the Sonicwall side but it sounds liek a NO-NAT problem. You appear to be missing a line in you ACL #1 telling the device not to NAT traffic flowing across the VPN tunnel.

ip nat inside source list 1 interface FastEthernet4 overload

So list 1 tells the device what traffic should go out via NAT or not.

access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.100.120.0 0.0.0.255

Right now list one is telling the device that all traffic on the 10.100.120.0/24 network should go out via NAT. You will need to add a line to this acl above the permit line telling it not to nat the traffic traveling across the VPN.

Something like this should be added above the permit line.

access-list 1 deny ip 10.100.120.0 0.0.0.255 192.168.1.0 0.0.0.255

You will probably need something on the Sonic wall to tell it the same thing but it may be there already. I just don't mess with Sonicwalls.

Regards,

3nerds
rmecheAuthor Commented:
It would seem if I added this deny statement, that my network, the 192.168.1.0 would only be able to get to this router if I use a VPN.  I was hoping to use the VPN to get to the internal devices on the 10.100.120.0 network when using the VPN and be able to get to the public side of this router when not using VPN.  Will I still be able to get to the Wan side of the router if I do not use VPN since I am on the 192.168.1.0 network and the deny statement will be in the ACL?  Hope I did not confuse you too bad, I think I confused myself on this one.
digitapCommented:
as far the sonicwall, if the tunnel is up and you can ping private IP over the tunnel, cisco > sonicwall, then there's nothing wrong with the VPN policy at either end. if there were, then the tunnel wouldn't come up at all. i agree with 3nerds, you've got something hinky with ACLs on your cisco.
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

3nerdsCommented:
rmeche,

The deny will only affect what traffic is denied NAT flowing from the 10.100.120.0 network to the 192.168.1.0 network. It will not have any bearing on anything other then that. If you plan to remotely manage the device via SSH then when you connect to the device it will look to the device like you are coming from an internet ip not the 192.168.1.0 network. Sorry if I mis-understood what you were asking but I was a little confused by your questions.

Good Luck,

3nerds
rmecheAuthor Commented:
I can not add this statement access-list 1 deny ip 10.100.120.0 0.0.0.255 192.168.1.0 0.0.0.255.  I can add it to an extened acl like 110.  I can not get it working as of yet but I know it has to do with the ACL.
3nerdsCommented:
probably to do something like this.

Add

access-list 110 remark NAT ACL
access-list 110 deny IP 10.100.120.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit IP 10.100.120.0 0.0.0.255 any

Change
ip nat inside source list 1 interface FastEthernet4 overload
to
ip nat inside source list 110 interface FastEthernet4 overload

Regards,

3nerds

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rmecheAuthor Commented:
Thanks for the timely response.
digitapCommented:
you are welcome!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.