[c-nsp] 2621 to SonicWall VPN Trouble

Matt Hill MattH at excom.com.au
Sun Apr 1 20:47:00 EDT 2007 

Looks like your NAT ACL is getting in the way...
 
Make it extended and put a deny from 10.0.0.0/24 to 10.1.0.0/24 so that your VPN traffic doesn't get NATted first.
 
i.e.:
ip nat inside source list 150 interface FastEthernet0/0 overload
access-list 150 deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 150 permit ip 10.0.0.0 0.0.0.255 any
 
Cheers,
Matt
 
Matt Hill
Technical Systems Instructor
EXCOM Education
Nth Lobby Gnd F 191 Pulteney St  |  Adelaide  |  SA  |  5000
Tel:  +61 8 8232 7706  |  Fax: +61 8 8232 7707
Microsoft World Wide Certified Partner Learning Solutions Finalist 2006 | Novell Linux Centre of Excellence (APAC) | Citrix Authorised Learning Centre of the Year 2003 & 2004 (ANZ)
This electronic mail/facsimile contains information that is privileged and confidential, intended only for use of the individual(s) named or addresses listed.  If you are not the intended recipient, any dissemination, copying or use of the information is strictly prohibited.

________________________________

From: cisco-nsp-bounces at puck.nether.net on behalf of Seth Mattinen
Sent: Mon 2/04/2007 09:19
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 2621 to SonicWall VPN Trouble



I've been having some trouble with a VPN between a 2600 and a SonicWall
working. The 2600 has 10.0.0.0/24 behind it, the SonicWall has
10.1.0.0/24 behind it. The 2621 is running c2600-jk8o3s-mz.122-10a.bin
and both ends are in DES mode. The VPN appears to come up fine, but no
traffic passes. Any ideas?


tanager#show crypto map
Crypto Map "sonicwalmap" 10 ipsec-isakmp
         Description: vpn tunnel to sonicwall firewall
         Peer = 207.228.13.226
         Extended IP access list 120
             access-list 120 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
         Current peer: 207.228.13.226
         Security association lifetime: 4608000 kilobytes/28800 seconds
         PFS (Y/N): N
         Transform sets={ sonicwal, }
         Interfaces using crypto map sonicwalmap:
                 FastEthernet0/0


tanager#show crypto ipsec sa

interface: FastEthernet0/0
     Crypto map tag: sonicwalmap, local addr. 68.190.179.54

    local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
    current_peer: 207.228.13.226
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
     #pkts decaps: 6954, #pkts decrypt: 6954, #pkts verify 6954
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
     #send errors 0, #recv errors 0

      local crypto endpt.: 68.190.179.54, remote crypto endpt.:
207.228.13.226
      path mtu 1500, media mtu 1500
      current outbound spi: E2C6A7F1

      inbound esp sas:
       spi: 0x29380156(691536214)
         transform: esp-des esp-md5-hmac ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2002, flow_id: 3, crypto map: sonicwalmap
         sa timing: remaining key lifetime (k/sec): (4607932/39)
         IV size: 8 bytes
         replay detection support: Y
       spi: 0x28893C27(680082471)
         transform: esp-des esp-md5-hmac ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2004, flow_id: 5, crypto map: sonicwalmap
         sa timing: remaining key lifetime (k/sec): (4607982/28677)
         IV size: 8 bytes
         replay detection support: Y

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:
       spi: 0x26A0B2B4(648065716)
         transform: esp-des esp-md5-hmac ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2003, flow_id: 4, crypto map: sonicwalmap
         sa timing: remaining key lifetime (k/sec): (4608000/39)
         IV size: 8 bytes
         replay detection support: Y
       spi: 0xE2C6A7F1(3804669937)
         transform: esp-des esp-md5-hmac ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2005, flow_id: 6, crypto map: sonicwalmap
         sa timing: remaining key lifetime (k/sec): (4608000/28674)
         IV size: 8 bytes
         replay detection support: Y

      outbound ah sas:

      outbound pcp sas:


2621 Config:

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname tanager
!
aaa new-model
enable secret 5 qwertyuiop
!
username admin password 7 qwertyuiop
ip subnet-zero
!
!
ip domain-name tanager.net
!
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 5
!
class-map match-all voice
   match access-group 104
!
!
policy-map QoS
   class voice
     priority 512
!
!
crypto isakmp policy 10
  hash md5
  authentication pre-share
  lifetime 28800
crypto isakmp key myfancykey address 207.228.13.226
!
!
crypto ipsec transform-set sonicwal esp-des esp-md5-hmac
!
crypto map sonicwalmap 10 ipsec-isakmp
  description vpn tunnel to sonicwall firewall
  set peer 207.228.13.226
  set security-association lifetime seconds 28800
  set transform-set sonicwal
  match address 120
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
  ip address 68.190.179.54 255.255.255.248
  ip nat outside
  speed 100
  full-duplex
  crypto map sonicwalmap
!
interface Serial0/0
  ip unnumbered FastEthernet0/0
  ip nat outside
  no ip mroute-cache
  no fair-queue
!
interface FastEthernet0/1
  no ip address
  ip route-cache flow
  duplex auto
  speed 100
!
interface FastEthernet0/1.1
  description main office
  encapsulation isl 1
  ip address 10.0.0.1 255.255.255.0
  ip access-group 1 in
  no ip redirects
  ip nat inside
!
interface FastEthernet0/1.101
  description roffice
  encapsulation isl 101
  ip address 10.0.1.1 255.255.255.0
  ip helper-address 10.0.0.64
  no ip redirects
  ip nat inside
!
interface FastEthernet0/1.103
  description phones
  encapsulation isl 103
  ip address 10.0.3.1 255.255.255.0
  no ip redirects
!
interface FastEthernet0/1.104
  description roffice phones
  encapsulation isl 104
  ip address 10.0.4.1 255.255.255.0
  no ip redirects
!
interface Serial0/1
  ip unnumbered FastEthernet0/0
  ip nat inside
  encapsulation ppp
  no ip mroute-cache
  service-policy output QoS
  compress stac
  service-module t1 clock source internal
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.0.64 25 interface FastEthernet0/0 25
ip nat inside source static tcp 10.0.0.64 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.0.0.64 1723 interface FastEthernet0/0
1723
ip nat inside source static tcp 10.0.0.125 3389 interface
FastEthernet0/0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 68.190.179.49
no ip http server
ip pim bidir-enable
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 104 permit tcp any any eq 3456
access-list 104 permit udp any any eq 3456
access-list 104 permit tcp any any eq 50000
access-list 104 permit udp any any eq 50000
access-list 104 permit tcp any any eq 51216
access-list 104 permit udp any any eq 51216
access-list 104 permit tcp any any range 1025 1039
access-list 104 permit udp any any range 1025 1039
access-list 104 permit tcp any any eq 60000
access-list 104 permit udp any any eq 60000
access-list 104 permit tcp any any eq 60030
access-list 104 permit udp any any eq 60030
access-list 120 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
!



--
sethm at rollernet.us
Ne cede malis sed contra audentior ito
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list