07-25-2014 02:27 AM - edited 03-04-2019 11:25 PM
Hi Guys
I have setup a site to site VPN and have the tunnel up but can not get any network traffic over the link, please see below the config, One site is running Cisco 887 and the other has sonicwall tz210
I have come on to this site after a previous tech and I am thinking about restoring starting again, but thought I would try here first to see if any one had a solution
Current configuration : 15446 bytes
!
! Last configuration change at 17:45:59 Brisban Fri Jul 25 2014 by churup
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$UzhZ$QGXl2Bw33geYjzDtkjVaz1
!
no aaa new-model
memory-size iomem 10
clock timezone Brisban 10 0
!
!
!
!
!
!
!
!
ip domain name
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip ddns update method ccp_ddns1
DDNS both
!
ip ddns update method ccp_ddns2
DDNS both
!
ip cef
no ipv6 cef
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
license udi pid CISCO887VA-K9 sn FGL181525KJ
!
!
!
shutdown vlan 2
username churup privilege 15 secret 5 $1$VrG/$b.i32gNpcFG0rGHPbHScs/
!
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 106
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 108
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
match access-group 109
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any sdm-service-ccp-inspect-1
match protocol http
match protocol https
match protocol microsoft-ds
match protocol ms-sql
match protocol ms-sql-m
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
!
policy-map type inspect sdm-permit-gre
class type inspect SDM_GRE
pass
class class-default
drop log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class type inspect sdm-cls-VPNOutsideToInside-4
pass
class type inspect sdm-cls-VPNOutsideToInside-5
pass
class type inspect sdm-cls-VPNOutsideToInside-6
pass
class class-default
drop
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security out-zone
zone security in-zone
zone security gre-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-gre-in1 source gre-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-gre source out-zone destination gre-zone
service-policy type inspect sdm-permit-gre
zone-pair security sdm-zp-in-gre1 source in-zone destination gre-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-gre-out source gre-zone destination out-zone
service-policy type inspect sdm-permit-gre
!
!
crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key password address 1.1.1.2
!
!
crypto ipsec transform-set pscc esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map topscc 15 ipsec-isakmp
set peer 1.1.1.2
set transform-set pscc
match address 101
!
!
!
!
!
interface Tunnel0
ip address 192.168.54.40 255.255.255.0
ip mtu 1372
zone-member security gre-zone
tunnel source Dialer1
tunnel destination 1.1.1.2
tunnel path-mtu-discovery
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
zone-member security out-zone
no atm ilmi-keepalive
!
interface ATM0.2 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 3
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 172.10.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Vlan3
ip address 192.168.1.40 255.255.255.0
zone-member security in-zone
!
interface Dialer1
description $FW_OUTSIDE$
ip ddns update ccp_ddns2
ip address 4.4.4.2 255.255.255.0
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname user
ppp chap password 0 password
crypto map topscc
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server view-group view-list
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_IP
remark CCP_ACL Category=0
permit ip any any
!
ip sla auto discovery
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.10.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.54.0 0.0.0.255 any
access-list 100 permit ip 120.150.241.0 0.0.0.255 any
access-list 101 permit ip 172.10.0.0 0.0.255.255 192.168.54.0 0.0.0.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 110.142.140.186 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 192.168.54.0 0.0.0.255 172.10.0.0 0.0.255.255
access-list 104 remark CCP_ACL Category=2
access-list 104 permit ip 172.10.0.0 0.0.255.255 any
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 192.168.54.0 0.0.0.255 172.10.0.0 0.0.255.255
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip 192.168.54.0 0.0.0.255 172.10.0.0 0.0.255.255
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip 192.168.54.0 0.0.0.255 172.10.0.0 0.0.255.255
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip host 192.168.54.9 172.10.0.0 0.0.255.255
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip 192.0.0.0 0.255.255.255 172.10.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
route-map static-vpn permit 10
match ip address 101
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet
!
!
end
07-25-2014 10:41 AM
Hello.
First of all you need to clarify if your IPSec works fine.
To check it you may use: "sh crypto isakmp sa" and "sh crypto ipsec sa"
If you miss any of them, it would mean that your tunnel is not up (or just miss interesting traffic).
Also I see you use complex ZBFW configuration. I would suggest to remove it for test purposes.
PS: to troubleshoot IPSec you may try command debug crypto isakmp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide