cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7950
Views
0
Helpful
4
Replies
Highlighted
Beginner

VPN tunnel up, but no traffic?

I decided to grab a Cisco 1800 series router and try to set it up. So far I can get out, and everything seems fine. I then tried to setup a secure VPN tunnel between this router and a sonicwall router.

Now the problem is the SonicWall GUI and the Cisco say that tunnel is up. But I cannot access the internal networks..

So my cisco LAN is 192.168.11.0 255.255.255.0

and the sonic wall is 192.168.1.0 255.255.255.0

They cannot talk even though the tunnel is up. I've been banging my head, and running through the tutorials and just can't figure it out.

Here is some proof that we reached at least phase one:

inbound esp sas:
      spi: 0xD1BC1B8E(
3518765966)
        transform: esp-
256-aes esp-sha-hmac ,
       
in use settings ={Tunnel, }
        conn id:
3003, flow_id: FPGA:3, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4541007/2298)
        IV size:
16 bytes
        replay detection support: Y
        Status: ACTIVE

outbound esp sas:
      spi: 0xAE589C1E(
2925042718)
        transform: esp-
256-aes esp-sha-hmac ,
       
in use settings ={Tunnel, }
        conn id:
3004, flow_id: FPGA:4, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4541027/2297)
        IV size:
16 bytes
        replay detection support: Y
        Status: ACTIVE


So here is my config: (What am I missing?!?)

Current configuration : 3972 bytes
!
version
12.4 no service pad
service tcp-keepalives-
in service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompsysRouter
!
boot-start-marker
boot-end-marker
!
enable secret *****************
enable password ***********
!
aaa
new-model
!
!
!
aaa session-id common
ip cef
!
!
!
!
no ip domain lookup
ip domain name ********.local
ip inspect name myfw http timeout
3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw dns timeout 3600 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 !
!
crypto pki trustpoint TP-self-
signed-1821875492 enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
1821875492 revocation-check none
rsakeypair TP-self-
signed-1821875492 !
!
crypto pki certificate chain TP-self-
signed-1821875492 certificate self-signed 01   30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355
04031326 494F532D 53656C66 2D536967 6E65642D 43657274
 
69666963 6174652D 31383231 38373534 3932301E 170D3130 31323130 32333433
  35325A17 0D323030
31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43
65727469 66696361 74652D31 38323138
 
37353439 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CC57 E44AB177 3594C4C7 E88B1A4F CE4FD392 87CDB75C 2A6A6B1A 87D10791
  0134F1FC 54A84BB6 08A40213 35B9DD0A FD813D2F 1C778D01 3F8EBEB0 C4793850
  F52F7906 FDBC56A5 A4829AC5 4180DDA7 F54E3AAD DD1D4537 F1F19F11 9AE8A8A0
  91C98934 233CF608 1447DA83 41B09E55 4A0FF674 8D060945 07D3F3F9 8EA7B412
  5FD30203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF
30180603
  551D1104 11300F82 0D436F6D
70737973 526F7574 6572301F 0603551D 23041830
  168014DC A9938F71 7CCF0E6D 8BC5DFA5 033DD7E4 0F605130 1D060355 1D0E0416
  0414DCA9 938F717C CF0E6D8B C5DFA503 3DD7E40F 6051300D 06092A86 4886F70D
 
01010405 00038181 00148C2F AA7CA155 463B56F2 324FE1ED 3682E618 75E3048F
  93E1EA61 3305767A FA93567B AA93B107 83A2F3D6 8F773779 E6BF0204 DC71879A
  5F7FC07F 627D8444
48781289 7F8DC06A BC9057B1 4C72AE1F B64284BE 94C6059C
  7B6B8A5D 83375B86 3054C760 961E8763
91767604 5E0E0CE3 3736133A E51ACF26
  14F3C7C5 60E08BE3
88   quit
username jdixon secret
5 $*****************
!        
!
ip ssh time-out
60 ip ssh authentication-retries 2 !
!
crypto isakmp policy
1 encr aes 256 authentication pre-share
group
2 lifetime 28800 crypto isakmp key address  !
!
crypto ipsec transform-set compsys esp-aes
256 esp-sha-hmac
!
crypto map vpn
10 ipsec-isakmp
set peer
set transform-set compsys
match address
101 !
!
!
interface FastEthernet0/0
ip address
"LOCAL ROUTER OUTSIDE" 255.255.255.248 ip access-group Inbound in ip nat outside
ip inspect myfw out
ip
virtual-reassembly
duplex auto
speed auto
no keepalive
crypto map vpn
!
interface FastEthernet0/1
ip address
192.168.11.1 255.255.255.0 ip nat inside
ip
virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route
0.0.0.0 0.0.0.0 !
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list
1 interface FastEthernet0/0 overload
ip nat inside source
static tcp 192.168.11.55 3389 interface FastEthernet0/0 9999 !
ip access-list extended Inbound
permit icmp any any
permit gre host
"REMOTE ROUTER" host "LOCAL ROUTER" permit esp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq isakmp
permit ahp host
"REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq non500-isakmp
permit ip host
"REMOTE ROUTER" any
permit tcp any host
"LOCAL ROUTER" eq 22 !
access-list
1 permit 192.168.11.0 0.0.0.255 access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 !
!
!
!
control-plane
!        
!
!
line con
0 line aux 0 line vty 0 4 !
scheduler allocate
20000 1000 end

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

NAT exemption is where it's failing.

Please kindly change it to as follows:

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 192.168.11.0 0.0.0.255 any

ip nat inside source list 150 interface fastethernet0/0 overload

no ip nat inside source list 1 interface fastethernet0/0 overload

Hope that helps.

View solution in original post

Highlighted

When you configure "access-list 1 permit 192.168.11.0 0.0.0.255", it will NAT all traffic from 192.168.11.0/24 to the outside interface IP Address. This is required when your internal network needs to access the internet.

However, when you are passing traffic from the VPN Pool 192.168.1.0/24 to your internal network 192.168.11.0/24, you do not need those traffic to be NATed because it is already encrypted in IPSec when it goes through the VPN, however, after the traffic is decrypted, or before the traffic is encrypted, the clear text traffic would be between 192.168.11.0/24 and 192.168.1.0/24 and those you do not need to NAT, hence, we configure the "deny" statement to bypass/exempt it from being NATed.

Hope that helps.

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

NAT exemption is where it's failing.

Please kindly change it to as follows:

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 192.168.11.0 0.0.0.255 any

ip nat inside source list 150 interface fastethernet0/0 overload

no ip nat inside source list 1 interface fastethernet0/0 overload

Hope that helps.

View solution in original post

Highlighted

That worked!

But.. would you mind explaining why that works? I trying to learn this. I mean I already had the

access-list 1 permit 192.168.11.0 0.0.0.255

but how come we had to basically deny it first, then permit it for it to work correctly?

Because we just added this line above:

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

Well I guess we are allowing ip when I just had a permit statement.

But anyways would you be so kind in explaining it to me?

Highlighted

When you configure "access-list 1 permit 192.168.11.0 0.0.0.255", it will NAT all traffic from 192.168.11.0/24 to the outside interface IP Address. This is required when your internal network needs to access the internet.

However, when you are passing traffic from the VPN Pool 192.168.1.0/24 to your internal network 192.168.11.0/24, you do not need those traffic to be NATed because it is already encrypted in IPSec when it goes through the VPN, however, after the traffic is decrypted, or before the traffic is encrypted, the clear text traffic would be between 192.168.11.0/24 and 192.168.1.0/24 and those you do not need to NAT, hence, we configure the "deny" statement to bypass/exempt it from being NATed.

Hope that helps.

View solution in original post

Highlighted

Ahhhh... See at first I was thinking it would deny it from going at all. But I guess since the deny is only applied to the "ip nat inside" it is only denying it from being nat'd like you are saying.

Thanks so much for you help! Now i'm off to figuring out vlanning with a switch / router. Making good progress :-)