[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco LAN to LAN IPSec coexisting with DMVPN, need ACL help

Posted on 2012-03-28
7
Medium Priority
?
1,463 Views
Last Modified: 2012-04-02
We have an existing DMVPN hub and spoke arrangement with 2811 and 1811 hardware.  We need to add an additional IPSec VPN to a SonicWALL, which means I cannot use the DMVPN configuration.  In addition, the SonicWALL WAN IP is dynamic.

I've used the guide here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml
to help build a config.

Status:  the VPN establishes.  I can ping the Cisco 2811 inside interface IP from the SonicWALL but I cannot ping any other device on the 10.128.52.0 network.  From the 2811, I cannot ping the SonicWALL interface ip.

I have a feeling this is ACL-related, but cannot finger the missing or offending statements.  Would very much appreciate some help.

hostname host
!
no ip source-route
!
! 
crypto keyring DMVPN
  pre-shared-key address 0.0.0.0 0.0.0.0 key dmvpnkey
!
crypto keyring L2LKEY
 pre-shared-key hostname esecvpn.dyndns.org key l2lkey
 
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!

crypto isakmp client configuration group EXISTINGCLIENTGROUP
 key EXISTINGCLIENTGROUPKEY
  pool dynpool
 acl 121
crypto isakmp profile EXISTINGCLIENTGROUPPROFILE
   match identity group EXISTINGCLIENTGROUP
   client authentication list local_authen
   isakmp authorization list local_author
   client configuration address initiate
   client configuration address respond
!
crypto isakmp profile DMVPNPRF
   keyring DMVPN
   match identity address 0.0.0.0
!
crypto isakmp profile L2LPRF
	keyring L2LKEY
	match identity host esecvpn.dyndns.org
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile SDM_Profile2
 set transform-set ESP-3DES-SHA1 
 set isakmp-profile DMVPNPRF
!
!
crypto dynamic-map dynmap 10
 set transform-set ESP-3DES-SHA1 
 set isakmp-profile EXISTINGCLIENTGROUPPROFILE
 reverse-route
!
!
crypto map dynmap 1 ipsec-isakmp dynamic dynmap 
!
crypto map dynmap 5 ipsec-isakmp
 set peer esecvpn.dyndns.org dynamic default
 set transform-set ESP-3DES-SHA1
 set isakmp-profile L2LPRF
 match address 150
 reverse-route
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.1.2.1 255.255.255.0
!
interface Loopback3
 description OutboundNAT2 loopback Interface
 ip address 10.1.3.1 255.255.255.0
!
interface Loopback10
 ip address 10.2.2.2 255.255.255.0
!
interface Tunnel0
 bandwidth 1000
 ip address 10.255.52.1 255.255.0.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 delay 1000
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile SDM_Profile2
!
interface Tunnel1
 bandwidth 900
 ip address 10.253.52.1 255.255.0.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100001
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 delay 1000
 tunnel source Vlan3
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel protection ipsec profile SDM_Profile2
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_OUTSIDE$
 ip address 1.1.1.1 255.255.255.250
 ip access-group 104 in
 ip access-group test out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map dynmap
!
interface GigabitEthernet0/1
 description $FW_INSIDE$$ETH-LAN$
 ip address 10.128.52.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map NAT
 duplex auto
 speed auto
 no mop enabled
!

interface Group-Async0
 physical-layer async
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 ip route-cache flow
 no group-range
!
router eigrp 100
 redistribute static
 passive-interface GigabitEthernet0/1
 passive-interface Vlan1
 passive-interface Vlan2
 network 10.0.0.0 0.0.0.255
 network 10.128.52.0 0.0.0.255
 network 10.253.52.0 0.0.0.255
 network 10.255.52.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!
ip local pool dynpool 10.254.52.1 10.254.52.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 123
!
ip nat inside source route-map OutboundNAT interface GigabitEthernet0/0 overload
!
ip access-list extended test
 permit ip 10.128.52.0 0.0.0.255 any log
 permit ip 1.1.1.0 0.0.0.255 any
!
access-list 104 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 104 permit udp host 192.43.244.18 eq ntp host 1.1.1.1 eq ntp
access-list 104 permit udp any host 1.1.1.1 eq non500-isakmp
access-list 104 permit udp any host 1.1.1.1 eq isakmp
access-list 104 permit esp any host 1.1.1.1
access-list 104 permit ahp any host 1.1.1.1
access-list 104 permit gre any host 1.1.1.1
access-list 104 permit icmp any any
access-list 104 deny   ip 10.128.52.0 0.0.0.255 any
access-list 104 deny   ip 10.0.0.0 0.0.0.255 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 10.255.0.0 0.0.255.255 any
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
!
access-list 120 deny   ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 192.168.1.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip 10.128.52.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip 10.0.0.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.6 any
access-list 120 permit ip 10.128.52.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 121 permit ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
!
access-list 122 permit ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
!
access-list 131 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
access-list 131 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
!
access-list 150 permit ip 10.128.52.0 0.0.0.255 10.128.80.0 0.0.0.255
!
route-map NAT permit 20
 match ip address 131
 set ip next-hop 10.2.2.3
!
route-map OutboundNAT permit 40
 match ip address 120
 set ip next-hop 10.1.2.2
!
route-map vpnaccess permit 10
 match ip address 122
 set ip next-hop 10.1.1.2

Open in new window

0
Comment
Question by:theletterE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 

Expert Comment

by:Cyberwrath
ID: 37776015
What is the source IP Address of your ping e.g. where is it coming from?

As a side note, give some thought to an encryption mechanism other than 3des there are so many more secure options, just my .02

Thank you!
0
 
LVL 1

Expert Comment

by:MRowan75
ID: 37776388
Is the 10.128.52.0 subnet within the SonicWALL? If so, check the Interface Settings (Go to Network->Interface) that the subnet is sitting on and ensure that "Ping" is checked/enabled.
0
 
LVL 2

Author Comment

by:theletterE
ID: 37777572
on the Sonicwall, the source IP is 10.128.80.1, on the 2811 the source IP is 10.128.52.1.  I have confirmed that the SonicWALL interface settings has ping enabled.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 1

Expert Comment

by:MRowan75
ID: 37777603
We have noticed in the past that in addition to enabling ping on the interface settings, you also need a firewall rule allowing ping to the management IP. Should look something like VPN>LAN>Allow>Ping>X0 Management IP.
0
 
LVL 2

Author Comment

by:theletterE
ID: 37777655
The SonicWALL configuration is sound. The issue is the Cisco configuration.  Note that I cannot ping the Cisco network (aside from interface IP) from the SonicWALL.
0
 
LVL 2

Accepted Solution

by:
theletterE earned 0 total points
ID: 37778834
discovered issue was simply that I was pinging from cisco exec shell.  when pinging from another host on network, works just fine.  needed correct source IP
0
 
LVL 2

Author Closing Comment

by:theletterE
ID: 37795171
further research yielded answer.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question