VPN can't ping Cisco router/CME over VPN

Hello all,

This is continuation of "Q_23843460".

Please refer to to attached drawing.

The ISP built the VPN to connect the two locations.  For now they forget to add the network to the VPN policy so only the to connectivity supposed to work.

Here is the problem: From SITE2 I can ping thru the VPN tunnel, but only the ISP gateway ( or any of the computers ( or  I can't ping the Cisco 2801 hosting CME ( or the AIM CUE (

When the ISP logs into the SITE1 Router they can locally ping  

1. Do I have to change the 2801's config to be "pingable" thru the VPN from the otherside?  
2. Do I have to do something extra for the network to be visible from SITE2 assuming the ISP sets up their VPN policy properly?  

I attached part of the 2801 config.

interface FastEthernet0/0                                                      
no ip address                                                                  
speed 100                                                                      
interface FastEthernet0/0.1                                                    
encapsulation dot1Q 1 native                                                  
ip address                                      
no snmp trap link-status                                                      
interface FastEthernet0/0.10                                                    
encapsulation dot1Q 10                                                        
ip address                                              
no snmp trap link-status                                                      
interface Service-Engine0/1                                                    
ip unnumbered FastEthernet0/0.1                                                
service-module ip address                        
service-module ip default-gateway                              
interface FastEthernet0/1                                                      
duplex auto                                                                    
speed auto                                                                    
interface Serial0/1/0:23                                                        
no ip address                                                                  
encapsulation hdlc                                                            
isdn switch-type primary-ni                                                    
isdn incoming-voice voice                                                      
no cdp enable                                                                  
ip default-gateway                                           
ip route                                
ip route Service-Engine0/1

Open in new window

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What is the default gateway on the PCs that you can ping at site 1 and the PC and phone at site 2?
Mark_erAuthor Commented:
Default Gateway on the PCs (PC1, PC2) at SITE1 is

Default Gateway on the PC (PC3) at SITE2 is

I am not sure about the phone at SITE2 but I assume it pulls DHCP from (The phone is not working yet, as we have no IP connectivity to yet...)

Everything looks fine on your router. Do a "show ip route" and post the output
do a "ping" from your 2801 and then do another "ping source"
If they both fail do a "ping"
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Mark_erAuthor Commented:
sh ip route:

Codes: <snip>

Gateway of last resort is not set
 is variably subnetted, 3 subnets, 2 masks
S  is directly connected, Service-Engine0/1
C  is directly connected, FastEthernet0/0.1
C  is directly connected, FastEthernet0/0.10


"do a "ping" from your 2801 and then do another "ping source" "

they both failed

"If they both fail do a "ping" "

ping succeeds.
Notice that even though you have ip route you don't have a default route.
Try putting in ip route
Mark_erAuthor Commented:
That did it! Now I can ping SITE2 from the router! Let me remotely access the other site (SITE2) to see if it works backwards too.
Mark_erAuthor Commented:
OK It also works from SITE2 now!

Do I need to do anything for the network in the routing table? (The VPN is not yet setup for the network by the ISP.) ?

No the ISP should have a route in their routers that point to You are covered as you only need to know how to get to

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark_erAuthor Commented:
Excellent, as usual.
Mark_erAuthor Commented:
One more question:

What do I need to do to make the interface pingable from the IAD ( ? The ISP won't do the VPN because they can't see network.
Do they need to set up  a 10.0.3.x subinterface on the IAD? With dot1q encapsultion?  The Catalyst port that the routers connect to is configured for "router" I assume that means trunking.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.