Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9145
Views
0
Helpful
4
Replies

VPN tunnel up, but no traffic?

Go to solution
jacob.dixon
Level 1
Level 1

‎12-10-2010 10:25 PM

I decided to grab a Cisco 1800 series router and try to set it up. So far I can get out, and everything seems fine. I then tried to setup a secure VPN tunnel between this router and a sonicwall router.

Now the problem is the SonicWall GUI and the Cisco say that tunnel is up. But I cannot access the internal networks..

So my cisco LAN is 192.168.11.0 255.255.255.0

and the sonic wall is 192.168.1.0 255.255.255.0

They cannot talk even though the tunnel is up. I've been banging my head, and running through the tutorials and just can't figure it out.

Here is some proof that we reached at least phase one:

inbound esp sas:
      spi: 0xD1BC1B8E(3518765966)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: FPGA:3, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4541007/2298)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

outbound esp sas:
      spi: 0xAE589C1E(2925042718)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: FPGA:4, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4541027/2297)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


So here is my config: (What am I missing?!?)

Current configuration : 3972 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompsysRouter
!
boot-start-marker
boot-end-marker
!
enable secret *****************
enable password ***********
!
aaa new-model
!
!
!
aaa session-id common
ip cef
!
!
!
!
no ip domain lookup
ip domain name ********.local
ip inspect name myfw http timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw udp timeout 3600
ip inspect name myfw dns timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-1821875492
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1821875492
 revocation-check none
 rsakeypair TP-self-signed-1821875492
!
!
crypto pki certificate chain TP-self-signed-1821875492
 certificate self-signed 01
  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31383231 38373534 3932301E 170D3130 31323130 32333433 
  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323138 
  37353439 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100CC57 E44AB177 3594C4C7 E88B1A4F CE4FD392 87CDB75C 2A6A6B1A 87D10791 
  0134F1FC 54A84BB6 08A40213 35B9DD0A FD813D2F 1C778D01 3F8EBEB0 C4793850 
  F52F7906 FDBC56A5 A4829AC5 4180DDA7 F54E3AAD DD1D4537 F1F19F11 9AE8A8A0 
  91C98934 233CF608 1447DA83 41B09E55 4A0FF674 8D060945 07D3F3F9 8EA7B412 
  5FD30203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603 
  551D1104 11300F82 0D436F6D 70737973 526F7574 6572301F 0603551D 23041830 
  168014DC A9938F71 7CCF0E6D 8BC5DFA5 033DD7E4 0F605130 1D060355 1D0E0416 
  0414DCA9 938F717C CF0E6D8B C5DFA503 3DD7E40F 6051300D 06092A86 4886F70D 
  01010405 00038181 00148C2F AA7CA155 463B56F2 324FE1ED 3682E618 75E3048F 
  93E1EA61 3305767A FA93567B AA93B107 83A2F3D6 8F773779 E6BF0204 DC71879A 
  5F7FC07F 627D8444 48781289 7F8DC06A BC9057B1 4C72AE1F B64284BE 94C6059C 
  7B6B8A5D 83375B86 3054C760 961E8763 91767604 5E0E0CE3 3736133A E51ACF26 
  14F3C7C5 60E08BE3 88
  quit
username jdixon secret 5 $*****************
!         
!
ip ssh time-out 60
ip ssh authentication-retries 2
! 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key  address  
!
!
crypto ipsec transform-set compsys esp-aes 256 esp-sha-hmac 
!
crypto map vpn 10 ipsec-isakmp 
 set peer 
 set transform-set compsys 
 match address 101
!
!
!
interface FastEthernet0/0
 ip address "LOCAL ROUTER OUTSIDE" 255.255.255.248
 ip access-group Inbound in
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 duplex auto
 speed auto
 no keepalive
 crypto map vpn
!
interface FastEthernet0/1
 ip address 192.168.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.11.55 3389 interface FastEthernet0/0 9999
!
ip access-list extended Inbound
 permit icmp any any
 permit gre host "REMOTE ROUTER" host "LOCAL ROUTER"
 permit esp host "REMOTE ROUTER" host "LOCAL ROUTER"
 permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq isakmp
 permit ahp host "REMOTE ROUTER" host "LOCAL ROUTER"
 permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq non500-isakmp
 permit ip host "REMOTE ROUTER" any
 permit tcp any host "LOCAL ROUTER" eq 22
!
access-list 1 permit 192.168.11.0 0.0.0.255
access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!         
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-11-2010 12:22 AM

NAT exemption is where it's failing.

Please kindly change it to as follows:

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 192.168.11.0 0.0.0.255 any

ip nat inside source list 150 interface fastethernet0/0 overload

no ip nat inside source list 1 interface fastethernet0/0 overload

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jacob.dixon

‎12-11-2010 03:41 PM

When you configure "access-list 1 permit 192.168.11.0 0.0.0.255", it will NAT all traffic from 192.168.11.0/24 to the outside interface IP Address. This is required when your internal network needs to access the internet.

However, when you are passing traffic from the VPN Pool 192.168.1.0/24 to your internal network 192.168.11.0/24, you do not need those traffic to be NATed because it is already encrypted in IPSec when it goes through the VPN, however, after the traffic is decrypted, or before the traffic is encrypted, the clear text traffic would be between 192.168.11.0/24 and 192.168.1.0/24 and those you do not need to NAT, hence, we configure the "deny" statement to bypass/exempt it from being NATed.

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-11-2010 12:22 AM

NAT exemption is where it's failing.

Please kindly change it to as follows:

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 192.168.11.0 0.0.0.255 any

ip nat inside source list 150 interface fastethernet0/0 overload

no ip nat inside source list 1 interface fastethernet0/0 overload

Hope that helps.

0 Helpful

Go to solution
jacob.dixon
Level 1
Level 1
In response to Jennifer Halim

‎12-11-2010 07:17 AM

That worked!

But.. would you mind explaining why that works? I trying to learn this. I mean I already had the

access-list 1 permit 192.168.11.0 0.0.0.255

but how come we had to basically deny it first, then permit it for it to work correctly?

Because we just added this line above:

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255

Well I guess we are allowing ip when I just had a permit statement.

But anyways would you be so kind in explaining it to me?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jacob.dixon

‎12-11-2010 03:41 PM

When you configure "access-list 1 permit 192.168.11.0 0.0.0.255", it will NAT all traffic from 192.168.11.0/24 to the outside interface IP Address. This is required when your internal network needs to access the internet.

However, when you are passing traffic from the VPN Pool 192.168.1.0/24 to your internal network 192.168.11.0/24, you do not need those traffic to be NATed because it is already encrypted in IPSec when it goes through the VPN, however, after the traffic is decrypted, or before the traffic is encrypted, the clear text traffic would be between 192.168.11.0/24 and 192.168.1.0/24 and those you do not need to NAT, hence, we configure the "deny" statement to bypass/exempt it from being NATed.

Hope that helps.

0 Helpful

Go to solution
jacob.dixon
Level 1
Level 1
In response to Jennifer Halim

‎12-14-2010 12:12 PM

Ahhhh... See at first I was thinking it would deny it from going at all. But I guess since the deny is only applied to the "ip nat inside" it is only denying it from being nat'd like you are saying.

Thanks so much for you help! Now i'm off to figuring out vlanning with a switch / router. Making good progress :-)

0 Helpful
Customers Also Viewed These Support Documents