Configuring a vpn with cisco router 827

Configuring a vpn with cisco router 827

Post by Payba » Mon, 17 Jul 2006 05:36:57


I have some problems with the configuration of a ipsec VPN between a
cisco 827 router and a Sonicwall 4060.
The status of the tunnels is ok (IKE and IPSEC), but hosts doesn
comunicate.
The problem is problaby the nat or any access list, could someone help
me??

Regards

This is the configuration:


---------------------------------------------------------------------------------------------------------------
Current configuration : 1762 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname testing
!
enable secret 5 $1$tCeE$HbJVPnsXI0t5yO/BzN.Zu/
!
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 0 password address 83.97.195.248
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
!
crypto map tosonicwall 15 ipsec-isakmp
set peer 83.97.195.248
set transform-set strongsha
match address 115
!
!
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 217.127.73.218 255.255.255.192
ip nat outside
pvc 8/32
encapsulation aal5snap
!
crypto map tosonicwall
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
ip nat inside source list 101 interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 115 permit ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.0.255
no cdp run
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ---------
login
!
scheduler max-task-time 5000
!
end
 
 
 

Configuring a vpn with cisco router 827

Post by www.BradRe » Mon, 17 Jul 2006 06:12:25

You may wish to investigate the Cisco 827 Config Wizard:

http://www.yqcomputer.com/

Cisco 827 IPSec Configuration:

http://www.yqcomputer.com/

Cisco 827 GUI Config:

http://www.yqcomputer.com/

Cisco 827 Firewall IPSec Configuration:

http://www.yqcomputer.com/

Cisco 827 Business Configuration:

http://www.yqcomputer.com/

Cisco 827 Firewall PPTP Configuration:

http://www.yqcomputer.com/

Cisco 827 Firewall Configuration:

http://www.yqcomputer.com/

Cisco 827 Basic Configuration:

http://www.yqcomputer.com/

Hope this helps.

Brad Reese
BradReese.Com - Global Cisco Systems Pre-Sales Support
http://www.yqcomputer.com/ #GLOBAL
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
International: 828-277-7272
Fax: 775-254-3558
AIM: R2MGrant
BradReese.Com - Cisco Technical Forums
http://www.yqcomputer.com/

 
 
 

Configuring a vpn with cisco router 827

Post by Brian » Mon, 17 Jul 2006 07:17:42


I have some problems with the configuration of a ipsec VPN between a
cisco 827 router and a Sonicwall 4060.
The status of the tunnels is ok (IKE and IPSEC), but hosts doesn
comunicate.
The problem is problaby the nat or any access list, could someone help
me??

Regards

This is the configuration:


---------------------------------------------------------------------------------------------------------------
Current configuration : 1762 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname testing
!
enable secret 5 $1$tCeE$HbJVPnsXI0t5yO/BzN.Zu/
!
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 0 password address 83.97.195.248
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
!
crypto map tosonicwall 15 ipsec-isakmp
set peer 83.97.195.248
set transform-set strongsha
match address 115
!
!
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 217.127.73.218 255.255.255.192
ip nat outside
pvc 8/32
encapsulation aal5snap
!
crypto map tosonicwall
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
ip nat inside source list 101 interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 115 permit ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.0.255
no cdp run
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ---------
login
!
scheduler max-task-time 5000
!
end

You need to remove your acl 101 and modify it to deny the nat for the VPN
tunnel

no access-list 101
access-list 101 deny ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

-Brian
 
 
 

Configuring a vpn with cisco router 827

Post by Merv » Mon, 17 Jul 2006 08:27:05

are there any matches showing against the access lists


! 1.clear access list counters

clear access-list counters 101
clear access-list counters 101

! 2. send traffic over tunnel

! 3 check for matches against access lists

show access-list 101
show access-list 115
 
 
 

Configuring a vpn with cisco router 827

Post by Payba » Mon, 17 Jul 2006 20:41:55

Thanks for all your response

I have to try this changes. More things... How I send all vpn traffic
over the tunnel?? Is it with a route-map or denying the acls is
sufficient?

Regards


Merv ha escrito:
 
 
 

Configuring a vpn with cisco router 827

Post by Brian » Mon, 17 Jul 2006 23:27:58


The crypto map tells it to send it in to the tunnel, you specify that in the
"match address" statement.

The deny statement tells in not to NAT that specific traffic.
 
 
 

Configuring a vpn with cisco router 827

Post by Payba » Tue, 18 Jul 2006 06:33:42

Thanks Brian, tomorrow I will try this things

regards

Brian V ha escrito: