troubleshooting Question

Cisco 800 series VPN Site to Site issue

Avatar of jtorrrres
jtorrrresFlag for United States of America asked on
VPNHardware FirewallsCisco
2 Comments1 Solution1146 ViewsLast Modified:
Hello Experts,

Let me start out by saying that I am beginner when it comes to Cisco security. I have managed to get a site-to-site tunnel working between my Cisco 819 ISR router and the corp router, which FYI, I do not have access to. I was provided the information needed to establish the link and was able to get it working using VTI.

The issue I am having currently is that from my internal network (PCs connected in Fa0-3, which all are part of Vlan1), I can not access the FTP/RDP hosts located in the remote network. I can ping the hosts from the lan side and from with in the console it self. When I test telnet ftp using source Tunnel0 & GigabitEtherner0 it works and shows a status letting me know its open.

I am sure I missing something here. Any suggestions are much appreciated.

Remote network/hosts: (ftp) (rdp) (rdp)

Below is a sanitized version of config:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ********* address 206.X.X.X
crypto ipsec transform-set ESP-MD5-HMAC esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec profile PROFILE1
 set transform-set ESP-MD5-HMAC
interface Tunnel0
 ip unnumbered GigabitEthernet0
 tunnel source GigabitEthernet0
 tunnel mode ipsec ipv4
 tunnel destination 206.X.X.X
 tunnel protection ipsec profile PROFILE1
interface FastEthernet0
 no ip address
interface FastEthernet1
 no ip address
interface FastEthernet2
 no ip address
interface FastEthernet3
 no ip address
interface GigabitEthernet0
 description WAN Connection$ETH-WAN$$FW_OUTSIDE$
 ip address 68.X.X.X
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
interface Vlan1
 description Inside Network$FW_INSIDE$
 ip address
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
ip default-gateway 68.x.x.x
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 3389 interface GigabitEthernet0 3389
ip route Tunnel0
ip route Tunnel0
ip route GigabitEthernet0
ip sla auto discovery
no cdp run
access-list 23 permit

To summarize:
- I can ping all hosts on remote network from both console & LAN.
- Using telnet in console to test FTP seems to work but not from LAN.
- Using telnet in console to test RDP does not work nor does it work from LAN.
- The remote hosts offering FTP/RDP I know are functional. We currently have a leased line (T1) that they allowed access to their network and I am able to use remote ftp/rdp. We are getting rid of the leased line and moving, hence the move to site-to-site vpn.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 2 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros