Announcement

Collapse
No announcement yet.

Cisco 2811 to Sonicwall VPN passthru

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 2811 to Sonicwall VPN passthru

    I am having a problem with a new cisco 2811 T1 router that i just installed. This router is only functioning as a T1 router and there is a sonicwall 2040 pro behind it. The background of this device is that my client wanted a hot swappable router incase their router died. They had a cisco 2611. Since the 2611's arent available anymore, I got them a 2811. The setup is this:

    LAN A ----- Sonicwall 2040 ----- Cisco 2811 x x x x x Sonicwall tz150 ----- Lan B

    LAN A : 192.168.200.0
    Sonicwall 2040 WAN: 69.xxx.115.98
    Sonicwall 2040 LAN: 192.168.200.2
    Cisco 2811 FastEthernet: 69.xxx.115.97

    Sonicwall tz150 WAN: 69.xxx.47.90
    Sonicwall tz150 LAN: 192.168.201.1
    LAN B: 192.168.201.0



    I configured the 2811 to be the same as the 2611, installed it and began testing. I found that everything was working, both outbound traffic (web, etc), inbound traffic (owa, web, sonicwall GVPN cleint) were ok. My problem lies with the point to point VPN between the 2 sonicwalls. With the old cisco 2611 the p2p vpn comes right up and packets pass fine, but with the new 2811, the tunnel gets established, or so it seems, but no packets pass at all.

    So the point is that the old one worked fine but the new one with almost the same configuration won't. I have also tried swapping the 2611 back in and it brings up the tunnel. You will see the ACL in the 2811 config, cisco put that in there in hopes to resolve the issue.

    I have worked with Cisco for several hours across many days and we cant seem to come up with a resolution. Below i will post the old 2611 config and the new 2811 config. Any help is appreciated!!! Thanks in advance!

    -Mike

    -----------------------------------------------------------------

    2611 config:

    xxxxxxx#show running
    Building configuration...
    Current configuration : 1133 bytes
    !
    version 12.1
    no service single-slot-reload-enable
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname xxxxxxx
    !
    enable password *********
    !
    !
    !
    !
    !
    ip subnet-zero
    ip domain-name ALTER.NET
    ip name-server 198.6.1.2
    !
    !
    !
    !
    interface Ethernet0/0
    description To Office Ethernet
    ip address 69.xxx.115.97 255.255.255.224
    ip access-group 102 in
    no keepalive
    !
    interface Serial0/0.1 point-to-point
    bandwidth 1536
    ip address 69.xxx.59.110 255.255.255.252
    no arp frame-relay
    frame-relay interface-dlci 16
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0.1
    no ip http server
    !
    access-list 102 permit ip any any
    snmp-server community adbb1a05a3 RO
    snmp-server community 56db77e27a RO
    snmp-server enable traps snmp
    !
    line con 0
    password xxxxxxxxxx
    login
    transport preferred none
    line aux 0
    line vty 0 4
    password xxxxxxxxx
    login
    transport preferred none
    !
    end
    -----------------------------------------------------------------

    2811 Config:

    Building configuration...
    Current configuration : 2010 bytes
    !
    version 12.4
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    no service password-encryption
    !
    hostname xxxxxxxxxxx
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    ip subnet-zero
    no ip gratuitous-arps
    ip tcp synwait-time 100
    !
    !
    ip cef
    !
    !
    ip domain name xxxxxxxxxx
    ip name-server 198.6.1.2
    !
    username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx
    !
    !
    !
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$
    ip address 69.xxx.115.97 255.255.255.224
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    no ip address
    ip mask-reply
    ip directed-broadcast
    shutdown
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    no ip address
    ip mask-reply
    ip directed-broadcast
    encapsulation frame-relay
    !
    interface Serial0/0/0.1 point-to-point
    description $FW_OUTSIDE$$ES_WAN$
    ip address 69.xxx.59.110 255.255.255.252
    ip directed-broadcast
    no arp frame-relay
    frame-relay interface-dlci 16 IETF
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
    !
    ip http server
    ip http authentication local
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    logging trap debugging
    access-list 117 permit ip host 69.xxx.47.90 host 69.xxx.115.98
    access-list 117 permit ip any any
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet
    line vty 5 15
    privilege level 15
    login local
    transport input telnet
    !
    scheduler allocate 20000 1000
    !
    end

  • #2
    Re: Cisco 2811 to Sonicwall VPN passthru

    Try applying the 117 access-list to the fa0/0 interface.

    router(config-if)#ip access-group 117 in
    CCNA, Network+

    Comment


    • #3
      Re: Cisco 2811 to Sonicwall VPN passthru

      That is where cisco had put it. It didnt help... thanks though.

      Comment


      • #4
        Re: Cisco 2811 to Sonicwall VPN passthru

        Try removing this from the access-list:
        access-list 117 permit ip host 69.xxx.47.90 host 69.xxx.115.98
        That is the only difference between the two routers in regards to acls.
        CCNA, Network+

        Comment

        Working...
        X