Allagulove,

Wouldnt that defeat the purpose of DHCP though? I mean, If I set that to the dynamic IP address then once it changes wont it just break?

omg you are a god sir! Thank you!!! Finally I can ping from the router. Now however my internal DHCP doesnt appear to be working and vlan 10 never comes up when a device is plugged into the back of the router. Can i plug a laptop directly in the back or no?

here is an update of my pings on the router. Only standard pings work nothing else does. I also cant pull a ip from the internal DHCP server and no matter what kind of device is plugged into fa0-2 the VLAN 10 never comes up.

Labrouter#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms
Labrouter#ping google.com

Translating "google.com"
% Unrecognized host or address, or protocol not running.

Labrouter#ping 8.8.8.8 source 192.168.90.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.90.1
.....
Success rate is 0 percent (0/5)
Labrouter#

Hello,

In order to be able to ping URL (ping google.com) you need to configure DNS-server for cisco IOS. Try the following commands:
ip domain lookup
ip name-server 8.8.8.8

You can try to ping google.com after that. But if pings are successful, I advice you to switch off domain lookup again:
no ip domain lookup
If you don't do it, every misprinting in exec mode will make you wait for timeout:
Labrouter#pinng 
Translating "pinng"...domain server (255.255.255.255)

% Bad IP address or host name
% Unknown command or computer name, or unable to find computer address

What about VLAN 10 never comes up. I don't see critical error in the configuration, which can prevent VLAN 10 interface from going up. Please, send us the outputs of:
show ip int brief
vlan database
 show

Also, try to temporary remove "spanning-tree portfast" and add "switchport mode access" for interfaces:
interface range fas0-2
 no spanning-tree portfast
 switchport mode access
 shut
 no shut
 end

And I also want to ask about your internal DHCP server. I see, that DHCP is configured on cisco router. If you also have another DHCP server in the internal LAN, you can get DHCP conflicts. It can be better to remove DHCP configuration from Cisco Router.
And one more thing, I advice you to correct NAT-ACL in following manner:
ip access-list extended NAT
 no permit udp any eq bootps any eq bootpc
 no permit icmp any any
From my point of view, you don't need to translate DHCP requests and push them to outside network. ICMP any any is also explicit rule from my point of view. 
 

Thank you so much sir! The domain thing allowed me to ping domains. I started looking into the VLAN stuff based on the few things you asked to see (commands I have never used or knew about especially the vlan database) which caused me to do some research and learned how to add the vlan to the database and then was able to pull an ip address on my laptop from the router and internet is now full functional! You sir are my new best friend! Thank you! I have been trying to get this operational for 7 days on spiceworks and two posts from you solved my entire world! now I need to try and get this site to site vpn working with my sonicwall at work which I can actually test and try now that i have internet heheh. If you see anything wrong with my VPN setup (other than the fact the interface doesnt yet have it set to it) please do let me know! I will report back if I have any troubles.

Hello, 

I'm very glad, my recommendations were helpful!
According to IPsec VPN configuration I see now one issue. NAT access-list should be modified in order to prevent IP-addresses from 192.168.90.0/24 net to be translated, when the destination is on 192.168.10.0/24 net.
ip access-list extended NAT
 5 deny ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.90.0 0.0.0.255 any
 
After you correct the access-list, theoretically, if remote site is configured correct, IPsec should be established.
To verify IPsec you can use following commands:
show crypto isakmp sa
show crypto ipsec sa

And one more thing I want to add. Your cisco 881 can be configured as FireWall, and it is strongly recommended to add FireWall configuration. This can help you to defend your local net from Internet intrusions.

A very simple way to configure FireWall is to use old one technology, called CBAC (Context-Based Access Control):
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

You can use the following configuration:
ip access-list extended ACL_ISP
 remark ###########RFC1918, RFC3330###########
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 remark ###########Permit DHCP###########
 permit udp any eq bootps any
 remark ###########Permit ICMP###########
 permit icmp any any
 remark ###########Permit IPSEC###########
 permit udp any any eq 500
 permit udp any any eq 4500
 permit esp any any
 remark ###########DENY ALL OTHER###########
 deny ip any any
!
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC http
ip inspect name CBAC https
ip inspect name CBAC ftp
ip inspect name CBAC ftps
ip inspect name CBAC icmp
ip inspect name CBAC dns
!
interface FastEthernet4
 ip access-group ACL_ISP in
 ip inspect CBAC out
 
This will make a very basic defence for your LAN behind the Router.

There is a newer technology for configuring FireWall on Cisco Router, called Zone-based FireWall (ZBFW). But the configuration is a bit complicated. You can read about this technology here:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

So before I saw your response I enabled the VPN and started seeing constant errors that said
IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

So thinking I didnt setup the IKEv2 right I switched the sonicwall to agressive mode and BAM I saw a green light on the sonicwall indicating the VPN was successfully established however I couldnt ping the router on the opposite end from either end. So I started messing with the access because currently aside from the 192.168.10.1 as the interface ip on the sonicwall, nothing was on that subnet but I did have a computer plugged into interface 2 on the sonicwall with a subnet of 192.169.20.1 so I switched over all the .10 on the cisco to .20 and also changed the destination network on the sonicwall to .20 and restarted the VPN. Since that point I couldnt get anything to work. I have since then reverted everything back to the way it was and added what you mentioned above and still I cannot get the VPN to connect.

This is what I see what I use the show commands you mentioned

Labrouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
98.231.XXX.XXX 199.227.XXX.XXX QM_IDLE           2001 ACTIVE

IPv6 Crypto ISAKMP SA

Labrouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
98.231.XXX.XXX 199.227.XXX.XXX QM_IDLE           2001 ACTIVE

IPv6 Crypto ISAKMP SA

on the sonicwall I see this error on the log over and over

on the cisco when I reload it I see

Oct  6 15:59:33.491: %CRYPTO-4-IKMP_NO_SA: IKE message from 199.227.11.116 has no SA and is not an initialization offer

Cant figure out whats wrong

nevermind I found it, my access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255 was still set to .20

So now I need to figure out why when I tried to change everything to .20 it didnt work. Your deny ip line though made it to where I can now ping between both networks now though so thank you!

Well I can ping both routers but when I went to the diagnostics on sonicwall and pinged the cisco router that worked but pinging my laptop from the same menu didnt even though im on the network with ip 192.168.90.51 so I will need to try and get this switched over to .20 network so I can test this between different computers on each network. Technically on the sonicwall .10 can talk to .20 but through vpn I cant seem to ping .20. How can I incorporate both networks?

Hello,

From the Cisco side, you can easily configure VPN IPsec for both networks. You just need to add the corresponding lines to ACL 102 and ACL NAT:

ip access-list extended NAT
 deny ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
 deny ip 192.168.90.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.90.0 0.0.0.255 any
 
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.20.0 0.0.0.255

And you need to perform the same configuration on SonicWall site. 

If it is impossible from SonicWall site to configure two different networks in one VPN connection, you can try to create two different VPN connections on SonicWall and two crypto maps on Cisco site.
The First VPN Connection for 192.168.90.0/24 <-> 192.168.10.0/24 
and the second VPN Connection for 192.168.90.0/24 <-> 192.168.20.0/24

I don't know exactly, how to configure it on SonicWall, but on Cisco site you'll need the following configuration:
ip access-list extended NAT
 deny ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
 deny ip 192.168.90.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.90.0 0.0.0.255 any
 
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.90.0 0.0.0.255 192.168.20.0 0.0.0.255

crypto map cisco_1_to_sonicwall_1 10 ipsec-isakmp
 set peer XXX.XXX.XXX.XXX
 set transform-set Chris-Home
 match address 102
!
crypto map cisco_1_to_sonicwall_1 20 ipsec-isakmp
 set peer XXX.XXX.XXX.XXX
 set transform-set Chris-Home
 match address 103