Solved

Cisco LAN to LAN IPSec coexisting with DMVPN, need ACL help

Posted on 2012-03-28
7
1,334 Views
Last Modified: 2012-04-02
We have an existing DMVPN hub and spoke arrangement with 2811 and 1811 hardware.  We need to add an additional IPSec VPN to a SonicWALL, which means I cannot use the DMVPN configuration.  In addition, the SonicWALL WAN IP is dynamic.

I've used the guide here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml
to help build a config.

Status:  the VPN establishes.  I can ping the Cisco 2811 inside interface IP from the SonicWALL but I cannot ping any other device on the 10.128.52.0 network.  From the 2811, I cannot ping the SonicWALL interface ip.

I have a feeling this is ACL-related, but cannot finger the missing or offending statements.  Would very much appreciate some help.

hostname host
!
no ip source-route
!
! 
crypto keyring DMVPN
  pre-shared-key address 0.0.0.0 0.0.0.0 key dmvpnkey
!
crypto keyring L2LKEY
 pre-shared-key hostname esecvpn.dyndns.org key l2lkey
 
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!

crypto isakmp client configuration group EXISTINGCLIENTGROUP
 key EXISTINGCLIENTGROUPKEY
  pool dynpool
 acl 121
crypto isakmp profile EXISTINGCLIENTGROUPPROFILE
   match identity group EXISTINGCLIENTGROUP
   client authentication list local_authen
   isakmp authorization list local_author
   client configuration address initiate
   client configuration address respond
!
crypto isakmp profile DMVPNPRF
   keyring DMVPN
   match identity address 0.0.0.0
!
crypto isakmp profile L2LPRF
	keyring L2LKEY
	match identity host esecvpn.dyndns.org
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile SDM_Profile2
 set transform-set ESP-3DES-SHA1 
 set isakmp-profile DMVPNPRF
!
!
crypto dynamic-map dynmap 10
 set transform-set ESP-3DES-SHA1 
 set isakmp-profile EXISTINGCLIENTGROUPPROFILE
 reverse-route
!
!
crypto map dynmap 1 ipsec-isakmp dynamic dynmap 
!
crypto map dynmap 5 ipsec-isakmp
 set peer esecvpn.dyndns.org dynamic default
 set transform-set ESP-3DES-SHA1
 set isakmp-profile L2LPRF
 match address 150
 reverse-route
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.1.2.1 255.255.255.0
!
interface Loopback3
 description OutboundNAT2 loopback Interface
 ip address 10.1.3.1 255.255.255.0
!
interface Loopback10
 ip address 10.2.2.2 255.255.255.0
!
interface Tunnel0
 bandwidth 1000
 ip address 10.255.52.1 255.255.0.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 delay 1000
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile SDM_Profile2
!
interface Tunnel1
 bandwidth 900
 ip address 10.253.52.1 255.255.0.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100001
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 delay 1000
 tunnel source Vlan3
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel protection ipsec profile SDM_Profile2
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_OUTSIDE$
 ip address 1.1.1.1 255.255.255.250
 ip access-group 104 in
 ip access-group test out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map dynmap
!
interface GigabitEthernet0/1
 description $FW_INSIDE$$ETH-LAN$
 ip address 10.128.52.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map NAT
 duplex auto
 speed auto
 no mop enabled
!

interface Group-Async0
 physical-layer async
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 ip route-cache flow
 no group-range
!
router eigrp 100
 redistribute static
 passive-interface GigabitEthernet0/1
 passive-interface Vlan1
 passive-interface Vlan2
 network 10.0.0.0 0.0.0.255
 network 10.128.52.0 0.0.0.255
 network 10.253.52.0 0.0.0.255
 network 10.255.52.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!
ip local pool dynpool 10.254.52.1 10.254.52.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 123
!
ip nat inside source route-map OutboundNAT interface GigabitEthernet0/0 overload
!
ip access-list extended test
 permit ip 10.128.52.0 0.0.0.255 any log
 permit ip 1.1.1.0 0.0.0.255 any
!
access-list 104 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 104 permit udp host 192.43.244.18 eq ntp host 1.1.1.1 eq ntp
access-list 104 permit udp any host 1.1.1.1 eq non500-isakmp
access-list 104 permit udp any host 1.1.1.1 eq isakmp
access-list 104 permit esp any host 1.1.1.1
access-list 104 permit ahp any host 1.1.1.1
access-list 104 permit gre any host 1.1.1.1
access-list 104 permit icmp any any
access-list 104 deny   ip 10.128.52.0 0.0.0.255 any
access-list 104 deny   ip 10.0.0.0 0.0.0.255 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 10.255.0.0 0.0.255.255 any
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
!
access-list 120 deny   ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 120 deny   ip 192.168.1.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip 10.128.52.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip 10.0.0.0 0.0.0.255 10.128.80.0 0.0.0.255
access-list 120 deny   ip host 192.168.1.6 any
access-list 120 permit ip 10.128.52.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 121 permit ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 121 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
!
access-list 122 permit ip 10.128.52.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 10.0.0.0 0.0.0.255 10.254.52.0 0.0.0.255
access-list 122 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
!
access-list 131 permit ip 10.0.0.0 0.255.255.255 10.254.52.0 0.0.0.255
access-list 131 permit ip 192.168.1.0 0.0.0.255 10.254.52.0 0.0.0.255
!
access-list 150 permit ip 10.128.52.0 0.0.0.255 10.128.80.0 0.0.0.255
!
route-map NAT permit 20
 match ip address 131
 set ip next-hop 10.2.2.3
!
route-map OutboundNAT permit 40
 match ip address 120
 set ip next-hop 10.1.2.2
!
route-map vpnaccess permit 10
 match ip address 122
 set ip next-hop 10.1.1.2

Open in new window

0
Comment
Question by:theletterE
  • 4
  • 2
7 Comments
 

Expert Comment

by:Cyberwrath
ID: 37776015
What is the source IP Address of your ping e.g. where is it coming from?

As a side note, give some thought to an encryption mechanism other than 3des there are so many more secure options, just my .02

Thank you!
0
 
LVL 1

Expert Comment

by:MRowan75
ID: 37776388
Is the 10.128.52.0 subnet within the SonicWALL? If so, check the Interface Settings (Go to Network->Interface) that the subnet is sitting on and ensure that "Ping" is checked/enabled.
0
 
LVL 2

Author Comment

by:theletterE
ID: 37777572
on the Sonicwall, the source IP is 10.128.80.1, on the 2811 the source IP is 10.128.52.1.  I have confirmed that the SonicWALL interface settings has ping enabled.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Expert Comment

by:MRowan75
ID: 37777603
We have noticed in the past that in addition to enabling ping on the interface settings, you also need a firewall rule allowing ping to the management IP. Should look something like VPN>LAN>Allow>Ping>X0 Management IP.
0
 
LVL 2

Author Comment

by:theletterE
ID: 37777655
The SonicWALL configuration is sound. The issue is the Cisco configuration.  Note that I cannot ping the Cisco network (aside from interface IP) from the SonicWALL.
0
 
LVL 2

Accepted Solution

by:
theletterE earned 0 total points
ID: 37778834
discovered issue was simply that I was pinging from cisco exec shell.  when pinging from another host on network, works just fine.  needed correct source IP
0
 
LVL 2

Author Closing Comment

by:theletterE
ID: 37795171
further research yielded answer.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now