Solved: Cisco19xx Router and Sonicwall VPN

leinad427 · ‎01-25-2018

Sorry if I explain me self poorly....

I have the VPN up I can see on both ends that it is up. If I ping from the Sonicwall LAN over to the Cisco LAN it looks like it works I can see the matches on the ACL going up. I do not have any devices connected over there so I can not say for sure it is able to ping but it seems like it can

10 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255 (59 matches) every time I ping it goes up

But if I ping from the cisco device over to the sonicwall LAN it is not able to ping any device nor the router..

Building configuration...

Current configuration : 2272 bytes

!

! Last configuration change at 05:08:03 UTC Fri Jan 26 2018

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxx

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxx

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

no ip domain lookup

ip domain name xxx.com

!

multilink bundle-name authenticated

!

license udi pid CISCO1921/K9 sn xxx

license boot module c1900 technology-package securityk9

!

username xx secret 5 xx

!

redundancy

!

ip ssh version 2

!

crypto isakmp policy 15

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxx address xxx

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set strongsha esp-3des esp-sha-hmac

!

crypto map tosonicwall 15 ipsec-isakmp

set peer x.x.x.x

set transform-set strongsha

match address VPN

!

interface GigabitEthernet0/0

ip address x.x.x.x 255.255.255.x

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map tosonicwall

!

interface GigabitEthernet0/1

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list ISP interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip access-list standard ISP

permit 192.168.10.0 0.0.0.255

!

ip access-list extended VPN

permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 5 0

password xxxxx

logging synchronous

login

line aux 0

line vty 0 4

exec-timeout 5 0

password xxxxx

logging synchronous

login local

transport input ssh

line vty 5 10

exec-timeout 5 0

password xxxxx

logging synchronous

login local

transport input ssh

!

scheduler allocate 20000 1000

end

leinad427 · ‎01-26-2018

Thanks for the reply I found the issue I had to remove

ip nat inside source list ISP interface GigabitEthernet0/0 overload

and create an extended acl like so

deny ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

and apply it to

ip nat inside source list NAT interface g0/0 overlaod

it seems like it was a NAT issue

View solution in original post

Bogdan Nita · ‎01-26-2018

As far as I know the crypto acl will only increment on the first packet when it tries to initiate the tunnel, the rest of the packets won't increment the hitcount, but not 100% sure on the 1900 and I do not have one available for test.
When you run show crypto ipsec sa do you see encaps and decaps packets ?
Are you specifying the source when pinging from cisco ?

HTH

Bogdan

leinad427 · ‎01-26-2018

Thanks for the reply I found the issue I had to remove

ip nat inside source list ISP interface GigabitEthernet0/0 overload

and create an extended acl like so

deny ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

and apply it to

ip nat inside source list NAT interface g0/0 overlaod

it seems like it was a NAT issue