cisco to sonicwall firewall

Discussion in 'Cisco' started by hazevelsheli@hotmail.com, Sep 28, 2007.

  1. hazevelsheli@hotmail.com

    hazevelsheli@hotmail.com

    Joined:
    Sep 28, 2007
    Messages:
    4
    i have a 3640 i need to vpn to a sonicwall 230.
    the 3640 currently have 2 unrelated VPNs (ipsec)

    i created the tunnel to the best of my ability, but when i test it 1. the existing unrelated VPN dies and 2.the address im trying ping on the sonicwall side isnt responding.

    any ideas?
    thank you in advance.

    ======

    the requirement i have are:
    on the sonicwall side ping the local 172.0.0.50 [from the cisco local of 172.16.1.100]

    IPSec Mode = IKE Using Preshared Secret
    Exchange = Main Mode
    Phase 1 DH Group = Group 2
    SA Life Time (Secs) = 28800
    Phase 1 Encrypt/Auth = DES & MD5
    Phase 2 Encrypt/Auth = Encrypt and Authenticate (ESP DES HMAC MD5)
    Shared Secret = mynewsharedsecretword
    Keep Alive = Enabled
    Phase 2 DH Group = Group 1

    =======

    the sh run for the 3640 is:

    C1 3640-A sh run aug2907.txt

    r1#sh run
    Building configuration...

    Current configuration : 8439 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname 111
    !
    logging buffered 4096 debugging
    no logging console
    aaa new-model
    !
    !
    aaa session-id common
    enable secret 5 xxx
    !
    username xxx password 7 xxx
    username xxx password 7 xxx

    !
    !
    memory-size iomem 10
    ip subnet-zero
    !
    !
    ip domain-name xxxxx
    !
    ip inspect name fw1 cuseeme
    ip inspect name fw1 ftp
    ip inspect name fw1 udp
    ip inspect name fw1 vdolive
    ip inspect name fw1 streamworks
    ip audit notify log
    ip audit po max-events 100
    ip ssh time-out 120
    ip ssh authentication-retries 3
    !
    crypto isakmp policy 5
    authentication pre-share
    !
    crypto isakmp policy 11
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    !
    crypto isakmp policy 23
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key mynewsharessecretword address xx.xxx.xxx.xx
    !
    !
    crypto ipsec transform-set Best esp-3des esp-sha-hmac
    crypto ipsec transform-set s1s2 esp-des esp-sha-hmac
    crypto ipsec transform-set 23good esp-des esp-md5-hmac *************
    crypto mib ipsec flowmib history tunnel size 200
    crypto mib ipsec flowmib history failure size 200
    ![[[[[[[[[[[unrelated vpn]]]]]]]]]]]]]]]
    crypto map mapit 11 ipsec-isakmp
    set peer xxxxxxxx
    set transform-set Best
    match address 102
    ![[[[[[[[[[[unrelated vpn]]]]]]]]]]]]]]]
    crypto map vpn local-address Tunnel0
    crypto map vpn 10 ipsec-isakmp
    set peer 10.10.10.2
    set transform-set s1s2
    match address 108
    ![[[[[[[[[[[vpn i have trouble with]]]]]]]]]]]]]]]
    crypto map good 23 ipsec-isakmp
    set peer xxx {=external ip address of sonicwall here}************
    set transform-set 23good
    match address 123
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !![[[[[[[[[[[unrelated vpn]]]]]]]]]]]]]]]
    interface Tunnel0
    ip address 10.10.10.1 255.255.255.0
    tunnel source xxx
    tunnel destination xxx
    crypto map vpn
    !![[[[[[[[[[[unrelated vpn]]]]]]]]]]]]]]]
    interface Tunnel1
    ip address 10.10.12.1 255.255.255.0
    tunnel source xxx
    tunnel destination xxx
    !![[[[[[[[[[[vpn i have trouble with]]]]]]]]]]]]]]]
    interface Tunnel2
    ip address 10.10.11.1 255.255.255.0
    tunnel source xxxx {=3640's external ip}
    tunnel destination xxxx {=sonicwall external ip}
    !
    interface Ethernet0/0
    no ip address
    shutdown
    half-duplex
    !
    interface Serial0/0
    description To UUNET (xxxxxxxxxxxx)
    bandwidth 1536
    ip address xxx 255.255.255.252
    ip access-group 101 in
    ip nat outside
    ip inspect fw1 out
    encapsulation frame-relay IETF
    no ip mroute-cache
    no fair-queue
    frame-relay interface-dlci 500
    crypto map vpn
    !
    interface FastEthernet2/0
    ip address 172.16.1.2 255.255.248.0 secondary
    ip address xxxxxxxx 255.255.255.192
    ip helper-address 172.30.0.10
    ip helper-address 172.16.9.5
    no ip redirects
    ip nat inside
    ip pim sparse-dense-mode
    ip cgmp
    speed auto
    full-duplex
    !![[[[[[[[[[[i think this is legacy code from older topology we used to have, we only have ONE router on our end, is there a need for this segment? i think its router to router OS related stuff]]]]]]]]]]]]]]]
    router eigrp 100
    network 10.10.10.0 0.0.0.255
    network 10.10.12.0 0.0.0.255
    network 172.16.0.0 0.0.7.255
    no auto-summary
    no eigrp log-neighbor-changes
    !
    ip nat pool ovrld xxxxxxxxxxx xxxxxxxxxxxx netmask 255.255.255.252
    ip nat pool swimpool xxxxxxxxxxxx xxxxxxxxxxxxx prefix-length 26
    ip nat inside source list 120 pool swimpool overload
    ip nat inside source route-map nonat interface Serial0/0 overload
    ip nat inside source static tcp 172.16.1.112 80 xxxxxxxxxx 80 extendable
    ip nat inside source static tcp 172.16.1.112 443 xxxxxxxxxxxxx 443 extendable
    ip nat inside source static tcp 172.16.1.47 105 xxxxxxxxxxxx105 extendable
    ip nat inside source static tcp 172.16.1.111 105 xxxxxxxxxxxxx105 extendable
    ip nat inside source static 172.16.1.18 xxxxxxxxxxxxxx
    ip nat inside source static tcp 172.16.1.111 80 xxxxxxxxxxxxx8088 extendable
    ip nat inside source static tcp 172.16.1.116 80 xxxxxxxxxxxxx8089 extendable
    ip nat inside source static tcp 172.16.1.113 5160 xxxxxxxxxxxx5160 extendable
    ip nat inside source static tcp 172.16.1.122 7775 xxxxxxxxxxxxxx7775 extendable
    ip nat inside source static tcp 172.16.1.125 80 xxxxxxxxxxxxxxx8090 extendable
    ip nat inside source static tcp 172.16.1.106 3050 xxxxxxxxxxx3050 extendable
    ip nat inside source static tcp 172.16.1.113 1433 xxxxxxxxxxxx1433 extendable
    ip nat inside source static tcp 172.16.1.117 21 xxxxxxxxxxxx21 extendable
    ip nat inside source static tcp 172.16.1.117 20 xxxxxxx20 extendable
    ip nat inside source static tcp 172.16.1.113 5160 xxxxxxxxxxx5160 extendable
    ip nat inside source static tcp 172.16.1.67 5555 xxxxxxxxxxx5555 extendable
    ip nat inside source static tcp 172.16.1.67 5550 xxxxxxxxxxxxxxxx5550 extendable
    ip nat inside source static tcp 172.16.1.113 515 xxxxxxxxxxxxxxx515 extendable
    ip nat inside source static tcp 172.16.1.47 3389 xxxxxxxxxxxxx3389 extendable
    ip nat inside source static tcp 172.16.1.22 80 xxxxxxxxxxxx80 extendable
    ip nat inside source static 172.16.1.128 xxxxxxxxxxxxxxxx
    ip classless
    ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxx
    ip route 172.17.0.0 255.255.0.0 172.16.1.1
    ip route 192.168.25.0 255.255.255.0 10.10.12.2
    ip http server
    ip pim bidir-enable
    !
    access-list 7 permit 172.16.0.0 0.0.255.255
    access-list 100 permit tcp 172.16.0.0 0.0.255.255 any
    access-list 100 permit ip 172.16.0.0 0.0.7.255 any
    access-list 100 permit ip xxxxxxxxxxxx0.0.0.63 any
    access-list 100 permit ip 172.16.0.0 0.0.0.255 any
    access-list 101 permit icmp any any echo
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit tcp any any established
    access-list 101 permit tcp any any eq telnet
    access-list 101 permit gre any any
    access-list 101 permit esp any any
    access-list 101 permit ahp any any
    access-list 101 permit udp any eq isakmp any eq isakmp
    access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 135
    access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq 135
    access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 138
    access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq netbios-dgm
    access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 139
    access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq netbios-ss
    access-list 101 permit tcp any host xxxxxxxxxrange ftp-data ftp
    access-list 101 permit tcp any gt 1023 host xxxxxxxxxxgt 1023
    access-list 101 permit tcp any host xxxxxxxxeq www
    access-list 101 permit tcp any host xxxxxxxxxxeq 105
    access-list 101 permit tcp any host xxxxxxxxxxx eq 443
    access-list 101 permit tcp any host xxxxxxxxxeq lpd
    access-list 101 permit tcp any host xxxxxxxxxxxeq 1433
    access-list 101 permit tcp any host xxxxxxxxxxxxeq 3050
    access-list 101 permit tcp any host xxxxxxxxxxxxxxeq 3389
    access-list 101 permit tcp any host xxxxxxxxxxxxxxeq 5550
    access-list 101 permit tcp any host xxxxxxxxxxxx eq 5555
    access-list 101 permit tcp any host xxxxxxxxxxxxxxeq 5160
    access-list 101 permit tcp any host xxxxxxxxxxxxxxxeq 7775
    access-list 101 permit tcp any host xxxxxxxxxxxxeq 8088
    access-list 101 permit tcp any host xxxxxxxxxxx eq 8089
    access-list 101 permit tcp any host xxxxxxxxxxxxeq 8090
    access-list 101 permit ip any host xxxxxxxxxxxx
    access-list 101 permit ip any host xxxxxxxxxxxxx
    access-list 101 permit tcp any host 172.16.1.121 eq 7775
    access-list 101 permit tcp any host 192.168.1.150 eq 7775
    access-list 101 permit tcp any host xxxxxxxxxxxxeq 3389
    access-list 102 permit ip 172.16.0.0 0.0.7.255 xxxxxxxxxxx0.0.0.15
    access-list 102 permit ip xxxxxxxxxxx0.0.0.63 xxxxxxxx0.0.0.15
    access-list 108 permit ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
    access-list 109 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
    access-list 109 deny ip host 172.16.1.18 any
    access-list 109 permit ip 172.16.0.0 0.0.7.255 any
    access-list 110 permit ip 172.16.0.0 0.0.7.255 any
    access-list 120 deny ip host 172.16.1.2 any
    access-list 120 deny ip host 172.16.1.47 any
    access-list 120 deny ip host 172.16.1.67 any
    access-list 120 deny ip host 172.16.1.106 any
    access-list 120 deny ip host 172.16.1.113 any
    access-list 120 deny ip host 172.16.1.114 any
    access-list 120 deny ip host 172.16.1.117 any
    access-list 120 deny ip host 172.16.1.122 any
    access-list 120 deny ip host 172.16.1.125 any
    access-list 120 deny ip host 172.16.1.18 any
    access-list 120 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
    access-list 120 permit ip 172.16.0.0 0.0.7.255 any
    access-list 120 deny ip host 172.16.1.124 any
    ![[[[[[[[[[[AL for this VPN im working on]]]]]]]]]]]]]]]
    access-list 123 permit ip 172.16.0.0 0.0.7.255 xxxx{=sonic wall externalk ip}.0 0.0.0.15
    no cdp advertise-v2
    !
    route-map nonat permit 10
    match ip address 109
    !
    snmp-server community public RO
    call rsvp-sync
    !
    !
    mgcp profile default
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 3435K534
    !
    !
    end
     
    hazevelsheli@hotmail.com, Sep 28, 2007
    #1
    1. Advertising

  2. hazevelsheli@hotmail.com

    hazevelsheli@hotmail.com

    Joined:
    Sep 28, 2007
    Messages:
    4
    also - what are "Phase 1 " "Phase 2" ? are those sonicwall related commands?
    those req were given to me by the sonicwall side admin.
     
    hazevelsheli@hotmail.com, Sep 28, 2007
    #2
    1. Advertising

  3. hazevelsheli@hotmail.com

    thort

    Joined:
    Sep 26, 2007
    Messages:
    35
    Phase 1 and Phase 2 refer to the negotiation phases of IPSEC (and IKE) to build successfully a tunnel.
    All the parameters in these phases (how the tunnel is configured) must match on both sides.. or both sides must be able to negotiate them. Even the unobvious ones such as Main/Agressive/PFS and wether SA associations are re-keyed based on bytes transfered.
    Group 1 and Group 2 refer to the Encryption strength ie. 768 bits,1028 bits, etc.

    Her are some config examples and caveats:
    http://www.cisco.com/en/US/products...s_configuration_example09186a008052c9d4.shtml
    http://sonicwall.com/us/support/323.html - The technote section has interoperability guides

    My first question would be have you verified that Phase 1 and 2 completes sucessfully? If, so then IPSec config is probably ok and its probably a higher level config problem.

    Quick glance at config raises this question too:

    access-list 123 permit ip 172.16.0.0 0.0.7.255 xxxx{=sonic wall externalk ip}.0 0.0.0.15

    Shouldn't it be? : {=sonic wall INTERNAL NET} not EXTERNAL IP ??? Normally you wouldn't set up the pix to tunnel/encrypt traffic to the external ip of the sonic wall, rather whats behind it.
     
    thort, Sep 29, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AC
    Replies:
    1
    Views:
    461
  2. Duck9
    Replies:
    1
    Views:
    512
  3. amitgat@gmail.com
    Replies:
    2
    Views:
    8,416
    amitgat@gmail.com
    Jan 3, 2006
  4. canaan01@hotmail.com
    Replies:
    3
    Views:
    9,019
  5. jsandlin

    cisco pix to sonicwall vpn...

    jsandlin, Oct 16, 2006, in forum: Cisco
    Replies:
    0
    Views:
    421
    jsandlin
    Oct 16, 2006
Loading...

Share This Page