Cisco LAN to LAN IPSec coexisting with DMVPN, need ACL help

We have an existing DMVPN hub and spoke arrangement with 2811 and 1811 hardware.  We need to add an additional IPSec VPN to a SonicWALL, which means I cannot use the DMVPN configuration.  In addition, the SonicWALL WAN IP is dynamic.

I've used the guide here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml
to help build a config.

Status:  the VPN establishes.  I can ping the Cisco 2811 inside interface IP from the SonicWALL but I cannot ping any other device on the 10.128.52.0 network.  From the 2811, I cannot ping the SonicWALL interface ip.

I have a feeling this is ACL-related, but cannot finger the missing or offending statements.  Would very much appreciate some help.

hostname host
!
no ip source-route
!
! 
crypto keyring DMVPN
  pre-shared-key address 0.0.0.0 0.0.0.0 key dmvpnkey
!
crypto keyring L2LKEY
 pre-shared-key hostname esecvpn.dyndns.org key l2lkey
 
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!

crypto isakmp client configuration group EXISTINGCLIENTGROUP
 key EXISTINGCLIENTGROUPKEY
  pool dynpool
 acl 121
crypto isakmp profile EXISTINGCLIENTGROUPPROFILE
   match identity group EXISTINGCLIENTGROUP
   client authentication list local_authen
   isakmp authorization list local_author
   client configuration address initiate
   client configuration address respond
!
crypto isakmp profile DMVPNPRF
   keyring DMVPN
   match identity address 0.0.0.0
!
crypto isakmp profile L2LPRF
	keyring L2LKEY
	match identity host esecvpn.dyndns.org
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile SDM_Profile2
 set transform-set ESP-3DES-SHA1 
 set isakmp-profile DMVPNPRF
!
!
crypto dynamic-map dynmap 10
 set transform-set ESP-3DES-SHA1 
 set isakmp-profile EXISTINGCLIENTGROUPPROFILE
 reverse-route
!
!
crypto map dynmap 1 ipsec-isakmp dynamic dynmap 
!
crypto map dynmap 5 ipsec-isakmp
 set peer esecvpn.dyndns.org dynamic default
 set transform-set ESP-3DES-SHA1
 set isakmp-profile L2LPRF
 match address 150
 reverse-route
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.1.2.1 255.255.255.0
!
interface Loopback3
 description OutboundNAT2 loopback Interface
 ip address 10.1.3.1 255.255.255.0
!
interface Loopback10
 ip address 10.2.2.2 255.255.255.0
!
interface Tunnel0
 bandwidth 1000
 ip address 10.255.52.1 255.255.0.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 delay 1000
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile SDM_Profile2
!
interface Tunnel1
 bandwidth 900
 ip address 10.253.52.1 255.255.0.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100001
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 delay 1000
 tunnel source Vlan3
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel protection ipsec profile SDM_Profile2
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_OUTSIDE$
 ip address 1.1.1.1 255.255.255.250
 ip access-group 104 in
 ip access-group test out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map dynmap
!
interface GigabitEthernet0/1
 description $FW_INSIDE$$ETH-LAN$
 ip address 10.128.52.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map NAT
 duplex auto
 speed auto
 no mop enabled
!

interface Group-Async0
 physical-layer async
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 ip route-cache flow
 no group-range
!
router eigrp 100
 redistribute static
 passive-interface GigabitEthernet0/1
 passive-interface Vlan1
 passive-interface Vlan2
 network 10.0.0.0 0.0.0.255
 network 10.128.52.0 0.0.0.255
 network 10.253.52.0 0.0.0.255
 network 10.255.52.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!
ip local pool dynpool 10.254.52.1 10.254.52.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 123
!
ip nat inside source route-map OutboundNAT interface GigabitEthernet0/0 overload
!
ip access-list extended test
 permit ip 10.128.52.0 0.0.0.255 any log
 permit ip 1.1.1.0 0.0.0.255 any
!
access-list 104 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 104 permit udp host 192.43.244.18 eq ntp host 1.1.1.1 eq ntp
access-list 104 permit udp any host 1.1.1.1 eq non500-isakmp
access-list 104 permit udp any host 1.1.1.1 eq isakmp
access-list 104 permit esp any host 1.1.1.1
access-list 104 permit ahp any host 1.1.1.1
access-list 104 permit gre any host 1.1.1.1
access-list 104 permit icmp any any
access-list 104 deny   ip 10.128.52.0 0.0.0.255 any
access-list 104 deny   ip 10.0.0.0 0.0.0.255 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 10.255.0.0 0.0.255.255 any
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
!
access-list 120 deny   ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 192.168.1.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip 10.128.52.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip 10.0.0.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.6 any
access-list 120 permit ip 10.128.52.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 121 permit ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
!
access-list 122 permit ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
!
access-list 131 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
access-list 131 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
!
access-list 150 permit ip 10.128.52.0 0.0.0.255 10.128.80.0 0.0.0.255
!
route-map NAT permit 20
 match ip address 131
 set ip next-hop 10.2.2.3
!
route-map OutboundNAT permit 40
 match ip address 120
 set ip next-hop 10.1.2.2
!
route-map vpnaccess permit 10
 match ip address 122
 set ip next-hop 10.1.1.2

Open in new window

LVL 2
theletterEAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CyberwrathCommented:
What is the source IP Address of your ping e.g. where is it coming from?

As a side note, give some thought to an encryption mechanism other than 3des there are so many more secure options, just my .02

Thank you!
MRowan75Commented:
Is the 10.128.52.0 subnet within the SonicWALL? If so, check the Interface Settings (Go to Network->Interface) that the subnet is sitting on and ensure that "Ping" is checked/enabled.
theletterEAuthor Commented:
on the Sonicwall, the source IP is 10.128.80.1, on the 2811 the source IP is 10.128.52.1.  I have confirmed that the SonicWALL interface settings has ping enabled.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MRowan75Commented:
We have noticed in the past that in addition to enabling ping on the interface settings, you also need a firewall rule allowing ping to the management IP. Should look something like VPN>LAN>Allow>Ping>X0 Management IP.
theletterEAuthor Commented:
The SonicWALL configuration is sound. The issue is the Cisco configuration.  Note that I cannot ping the Cisco network (aside from interface IP) from the SonicWALL.
theletterEAuthor Commented:
discovered issue was simply that I was pinging from cisco exec shell.  when pinging from another host on network, works just fine.  needed correct source IP

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
theletterEAuthor Commented:
further research yielded answer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.