10-01-2015 02:38 PM - edited 03-08-2019 02:01 AM
Hey everyone,
I have spent over 4 days trying to get this to work. I have been on the spiceworks forum and its apparent they dont know how to help cause the issues that did get resolved in the 4 days were done by me a straight cisco newb. It started by me needing to bring home a cisco router and get it to do a site to site VPN with the new sonicwall I have at work but sadly after 4 fays I have yet to even get it to connect to the internet properly. At first it would not pull a ip address from my ISP but I was able to resolve that with permit udp any eq bootps any eq bootpc and ip tcp adjust-mss 1460 (which I am not sure i even need with comcast) then rebooted the modem and the router and BAM finally it pulled a DHCP IP address from my ISP. Sadly however still no internet. Below is my config, ip interface, show ip route, and various ping and nat translation tests (IP Address is XXX out for security). Please help me I am at my wits end with this thing. (Its a Cisco 881)(Can ignore the VPN stuff I havent been able to use or test that stuff yet)
Labrouter#show run
Building configuration...
Current configuration : 2658 bytes
!
! Last configuration change at 16:33:36 SUMMER Thu Oct 1 2015
! NVRAM config last updated at 16:02:24 SUMMER Thu Oct 1 2015
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Labrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$VVP3$S54zJ7vK9sYUDlDnruCZm.
enable password XXXXXXXX
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone EST -5
clock summer-time SUMMER recurring
!
!
ip source-route
!
!
ip dhcp excluded-address 192.168.90.1 192.168.90.50
!
ip dhcp pool LAN1
import all
network 192.168.90.0 255.255.255.0
default-router 192.168.90.1
dns-server 8.8.8.8
lease 7
!
!
ip cef
no ip domain lookup
ip multicast-routing
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FTX155382K0
!
!
vtp mode transparent
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key XXXXXXXX address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set Chris-Home esp-3des esp-sha-hmac
!
crypto map cisco_1_to_sonicwall_1 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set Chris-Home
match address 102
!
!
!
!
!
interface FastEthernet0
switchport access vlan 10
spanning-tree portfast
!
!
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
!
!
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
!
!
interface FastEthernet3
no cdp enable
spanning-tree portfast
!
!
interface FastEthernet4
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
!
interface Vlan1
description LAN
ip address dhcp
!
!
interface Vlan10
description LAN
ip address 192.168.90.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip access-list extended NAT
permit ip 192.168.90.0 0.0.0.255 any
permit udp any eq bootps any eq bootpc
permit icmp any any
ip access-list extended VPN
permit ip 192.168.10.0 0.0.0.255 192.168.90.0 0.0.0.255
!
access-list 101 permit ip 192.168.90.0 0.0.0.255 any
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
password XXXXXXXX
transport preferred ssh
transport input ssh
!
scheduler max-task-time 5000
end
Labrouter#sho ip int brie
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 98.231.XXX.XXX YES DHCP up up
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM down down
Vlan10 192.168.90.1 YES NVRAM down down
Labrouter#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, FastEthernet4
76.0.0.0/32 is subnetted, 1 subnets
S 76.96.92.132 [254/0] via 98.231.XX.X, FastEthernet4
98.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 98.231.XX.X/21 is directly connected, FastEthernet4
L 98.231.XX.XX/32 is directly connected, FastEthernet4
Labrouter#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Labrouter#ping 8.8.8.8 source 192.168.90.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.90.1
.....
Success rate is 0 percent (0/5)
Labrouter#ping 8.8.8.8 source fa 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 98.231.XXX.XXX
.....
Success rate is 0 percent (0/5)
Labrouter#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 98.231.XXX.XXX:8 98.231.XXX.XXX:8 8.8.8.8:8 8.8.8.8:8
icmp 98.231.XXX.XXX:10 98.231.XXX.XXX:10 8.8.8.8:10 8.8.8.8:10
icmp 98.231.XXX.XXX:9 192.168.90.1:9 8.8.8.8:9 8.8.8.8:9
Labrouter#
Solved! Go to Solution.
10-05-2015 07:01 AM
Hello,
Yes, you are right, the Default Gateway IP address can be obtained via DHCP as well as IP address on Fa4.
Please, try the following
no ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0.0 0.0.0.0 DHCP
interface fa4
shut
no shut
10-02-2015 07:50 AM
Does no response mean that no one knows? I thought this would be the best place to get help for this issue. There must be something I am missing here right? Some sort of routing table or something? Please any kind of help is appreciated. I have spent 5 days on this now. If anyone is out there please help me.
10-05-2015 04:20 AM
Hi,
Your problem is this line : ip route 0.0.0.0 0.0.0.0 FastEthernet4 it should be: ip route 0.0.0.0 0.0.0.0 IPADDRESS of your isp router or modem.
So in your case it will be something like : ip route 0.0.0.0 0.0.0.0 98.231.XX.X <- you should ask your ISP about the gateway address
10-05-2015 05:42 AM
Allagulove,
Wouldnt that defeat the purpose of DHCP though? I mean, If I set that to the dynamic IP address then once it changes wont it just break?
10-05-2015 07:01 AM
Hello,
Yes, you are right, the Default Gateway IP address can be obtained via DHCP as well as IP address on Fa4.
Please, try the following
no ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0.0 0.0.0.0 DHCP
interface fa4
shut
no shut
10-05-2015 12:19 PM
omg you are a god sir! Thank you!!! Finally I can ping from the router. Now however my internal DHCP doesnt appear to be working and vlan 10 never comes up when a device is plugged into the back of the router. Can i plug a laptop directly in the back or no?
10-05-2015 12:38 PM
here is an update of my pings on the router. Only standard pings work nothing else does. I also cant pull a ip from the internal DHCP server and no matter what kind of device is plugged into fa0-2 the VLAN 10 never comes up.
Labrouter#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms
Labrouter#ping google.com
Translating "google.com"
% Unrecognized host or address, or protocol not running.
Labrouter#ping 8.8.8.8 source 192.168.90.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.90.1
.....
Success rate is 0 percent (0/5)
Labrouter#
10-06-2015 12:57 AM
Hello,
In order to be able to ping URL (ping google.com) you need to configure DNS-server for cisco IOS. Try the following commands:
ip domain lookup
ip name-server 8.8.8.8
You can try to ping google.com after that. But if pings are successful, I advice you to switch off domain lookup again:
no ip domain lookup
If you don't do it, every misprinting in exec mode will make you wait for timeout:
Labrouter#pinng
Translating "pinng"...domain server (255.255.255.255)
% Bad IP address or host name
% Unknown command or computer name, or unable to find computer address
What about VLAN 10 never comes up. I don't see critical error in the configuration, which can prevent VLAN 10 interface from going up. Please, send us the outputs of:
show ip int brief
vlan database
show
Also, try to temporary remove "spanning-tree portfast" and add "switchport mode access" for interfaces:
interface range fas0-2
no spanning-tree portfast
switchport mode access
shut
no shut
end
10-06-2015 12:57 AM
And I also want to ask about your internal DHCP server. I see, that DHCP is configured on cisco router. If you also have another DHCP server in the internal LAN, you can get DHCP conflicts. It can be better to remove DHCP configuration from Cisco Router.
And one more thing, I advice you to correct NAT-ACL in following manner:
ip access-list extended NAT
no permit udp any eq bootps any eq bootpc
no permit icmp any any
From my point of view, you don't need to translate DHCP requests and push them to outside network. ICMP any any is also explicit rule from my point of view.
10-06-2015 06:38 AM
Thank you so much sir! The domain thing allowed me to ping domains. I started looking into the VLAN stuff based on the few things you asked to see (commands I have never used or knew about especially the vlan database) which caused me to do some research and learned how to add the vlan to the database and then was able to pull an ip address on my laptop from the router and internet is now full functional! You sir are my new best friend! Thank you! I have been trying to get this operational for 7 days on spiceworks and two posts from you solved my entire world! now I need to try and get this site to site vpn working with my sonicwall at work which I can actually test and try now that i have internet heheh. If you see anything wrong with my VPN setup (other than the fact the interface doesnt yet have it set to it) please do let me know! I will report back if I have any troubles.
10-06-2015 07:42 AM
Hello,
I'm very glad, my recommendations were helpful!
According to IPsec VPN configuration I see now one issue. NAT access-list should be modified in order to prevent IP-addresses from 192.168.90.0/24 net to be translated, when the destination is on 192.168.10.0/24 net.
ip access-list extended NAT
5 deny ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 any
After you correct the access-list, theoretically, if remote site is configured correct, IPsec should be established.
To verify IPsec you can use following commands:
show crypto isakmp sa
show crypto ipsec sa
10-06-2015 07:42 AM
And one more thing I want to add. Your cisco 881 can be configured as FireWall, and it is strongly recommended to add FireWall configuration. This can help you to defend your local net from Internet intrusions.
A very simple way to configure FireWall is to use old one technology, called CBAC (Context-Based Access Control):
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html
You can use the following configuration:
ip access-list extended ACL_ISP
remark ###########RFC1918, RFC3330###########
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
remark ###########Permit DHCP###########
permit udp any eq bootps any
remark ###########Permit ICMP###########
permit icmp any any
remark ###########Permit IPSEC###########
permit udp any any eq 500
permit udp any any eq 4500
permit esp any any
remark ###########DENY ALL OTHER###########
deny ip any any
!
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC http
ip inspect name CBAC https
ip inspect name CBAC ftp
ip inspect name CBAC ftps
ip inspect name CBAC icmp
ip inspect name CBAC dns
!
interface FastEthernet4
ip access-group ACL_ISP in
ip inspect CBAC out
This will make a very basic defence for your LAN behind the Router.
There is a newer technology for configuring FireWall on Cisco Router, called Zone-based FireWall (ZBFW). But the configuration is a bit complicated. You can read about this technology here:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
10-06-2015 08:41 AM
So before I saw your response I enabled the VPN and started seeing constant errors that said
IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
So thinking I didnt setup the IKEv2 right I switched the sonicwall to agressive mode and BAM I saw a green light on the sonicwall indicating the VPN was successfully established however I couldnt ping the router on the opposite end from either end. So I started messing with the access because currently aside from the 192.168.10.1 as the interface ip on the sonicwall, nothing was on that subnet but I did have a computer plugged into interface 2 on the sonicwall with a subnet of 192.169.20.1 so I switched over all the .10 on the cisco to .20 and also changed the destination network on the sonicwall to .20 and restarted the VPN. Since that point I couldnt get anything to work. I have since then reverted everything back to the way it was and added what you mentioned above and still I cannot get the VPN to connect.
This is what I see what I use the show commands you mentioned
Labrouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
98.231.XXX.XXX 199.227.XXX.XXX QM_IDLE 2001 ACTIVE
IPv6 Crypto ISAKMP SA
Labrouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
98.231.XXX.XXX 199.227.XXX.XXX QM_IDLE 2001 ACTIVE
IPv6 Crypto ISAKMP SA
on the sonicwall I see this error on the log over and over
Warning | VPN IKE | Received notify. NO_PROPOSAL_CHOSEN |
on the cisco when I reload it I see
Oct 6 15:59:33.491: %CRYPTO-4-IKMP_NO_SA: IKE message from 199.227.11.116 has no SA and is not an initialization offer
Cant figure out whats wrong
10-06-2015 08:51 AM
nevermind I found it, my access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255 was still set to .20
So now I need to figure out why when I tried to change everything to .20 it didnt work. Your deny ip line though made it to where I can now ping between both networks now though so thank you!
Well I can ping both routers but when I went to the diagnostics on sonicwall and pinged the cisco router that worked but pinging my laptop from the same menu didnt even though im on the network with ip 192.168.90.51 so I will need to try and get this switched over to .20 network so I can test this between different computers on each network. Technically on the sonicwall .10 can talk to .20 but through vpn I cant seem to ping .20. How can I incorporate both networks?
10-08-2015 01:22 AM
Hello,
From the Cisco side, you can easily configure VPN IPsec for both networks. You just need to add the corresponding lines to ACL 102 and ACL NAT:
ip access-list extended NAT
deny ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.90.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 any
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.20.0 0.0.0.255
And you need to perform the same configuration on SonicWall site.
If it is impossible from SonicWall site to configure two different networks in one VPN connection, you can try to create two different VPN connections on SonicWall and two crypto maps on Cisco site.
The First VPN Connection for 192.168.90.0/24 <-> 192.168.10.0/24
and the second VPN Connection for 192.168.90.0/24 <-> 192.168.20.0/24
I don't know exactly, how to configure it on SonicWall, but on Cisco site you'll need the following configuration:
ip access-list extended NAT
deny ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.90.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 any
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.90.0 0.0.0.255 192.168.20.0 0.0.0.255
crypto map cisco_1_to_sonicwall_1 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set Chris-Home
match address 102
!
crypto map cisco_1_to_sonicwall_1 20 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set Chris-Home
match address 103
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide