asked on Cisco IOS - SonicWall NSA Site to Site VPN
Attempting to build a site to site tunnel between a SonicWall NSA ans a Cisco IOS router, I can get the tunnel to become active, but can not pass traffic either direction. Am I just missing a simple route or something? Config of Cisco pasted, Sonicwall config images attached.
hostname Cisco_Router
!
ip source-route
!
!
ip dhcp excluded-address 192.168.50.1 192.168.50.99
ip dhcp excluded-address 192.168.50.201 192.168.50.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.50.0 255.255.255.0
dns-server 4.2.2.2 192.168.0.14
default-router 192.168.50.1
!
!
ip cef
ip domain name domain.local
ip name-server 4.2.2.2
ip name-server 192.168.0.14
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key PASSWORD address 64.x.x.x
crypto isakmp keepalive 15
crypto isakmp client configuration address-pool local CLIENTPOOL
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set 50 esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 64.x.x.x
set transform-set 50
set pfs group2
match address 101
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 68.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool CLIENTPOOL 192.168.0.0 192.168.0.255
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 68.0.0.0.0
ip route 192.168.0.0 255.255.255.0 FastEthernet4
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run
Doc2.docx
hostname Cisco_Router
!
ip source-route
!
!
ip dhcp excluded-address 192.168.50.1 192.168.50.99
ip dhcp excluded-address 192.168.50.201 192.168.50.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.50.0 255.255.255.0
dns-server 4.2.2.2 192.168.0.14
default-router 192.168.50.1
!
!
ip cef
ip domain name domain.local
ip name-server 4.2.2.2
ip name-server 192.168.0.14
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key PASSWORD address 64.x.x.x
crypto isakmp keepalive 15
crypto isakmp client configuration address-pool local CLIENTPOOL
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set 50 esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 64.x.x.x
set transform-set 50
set pfs group2
match address 101
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 68.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool CLIENTPOOL 192.168.0.0 192.168.0.255
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 68.0.0.0.0
ip route 192.168.0.0 255.255.255.0 FastEthernet4
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run
Doc2.docx
Hardware FirewallsCiscoVPN
Last Comment
digitap
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Cisco:
local:
192.168.50.0 /24
(needs full range)
Sonicwall
local:
192.168.0.0 /24
(needs full range)
Sonicwall address group MWCisco
Group includes one network object for a network of 192.168.0.0 /24
local:
192.168.50.0 /24
(needs full range)
Sonicwall
local:
192.168.0.0 /24
(needs full range)
Sonicwall address group MWCisco
Group includes one network object for a network of 192.168.0.0 /24
ASKER
Have this up and running.
The main issue was that on the SW side, the LAN Subnet group was tied in, which included subnets that I wasn't tying into the cisco acl, so I created an address object on the SW for just the network I wanted and applied that to the VPN, and it is working.
The main issue was that on the SW side, the LAN Subnet group was tied in, which included subnets that I wasn't tying into the cisco acl, so I created an address object on the SW for just the network I wanted and applied that to the VPN, and it is working.
ASKER
Although the contributors did not actually find the issue, some of what they stated pointed me in the right direction.
Yes, you have to watch those address object and groups. I've had this same issue before. If the VPN establishes correctly, but traffic doesn't pass, then it's always been the subnets I've defined.
Glad you got it and thanks for the points!
Glad you got it and thanks for the points!
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0