Cisco 800 series VPN Site to Site issue

Hello Experts,

Let me start out by saying that I am beginner when it comes to Cisco security. I have managed to get a site-to-site tunnel working between my Cisco 819 ISR router and the corp router, which FYI, I do not have access to. I was provided the information needed to establish the link and was able to get it working using VTI.

The issue I am having currently is that from my internal network (PCs connected in Fa0-3, which all are part of Vlan1), I can not access the FTP/RDP hosts located in the remote network. I can ping the hosts from the lan side and from with in the console it self. When I test telnet ftp using source Tunnel0 & GigabitEtherner0 it works and shows a status letting me know its open.

I am sure I missing something here. Any suggestions are much appreciated.

Remote network/hosts:

10.100.0.0/16
10.118.0.0/24

10.118.0.20 (ftp)
10.100.22.60 (rdp)
10.100.22.50 (rdp)

Below is a sanitized version of config:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ********* address 206.X.X.X
!
crypto ipsec transform-set ESP-MD5-HMAC esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile PROFILE1
 set transform-set ESP-MD5-HMAC
!
!
interface Tunnel0
 ip unnumbered GigabitEthernet0
 tunnel source GigabitEthernet0
 tunnel mode ipsec ipv4
 tunnel destination 206.X.X.X
 tunnel protection ipsec profile PROFILE1
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 description WAN Connection$ETH-WAN$$FW_OUTSIDE$
 ip address 68.X.X.X 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description Inside Network$FW_INSIDE$
 ip address 192.168.242.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip default-gateway 68.x.x.x
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.242.6 3389 interface GigabitEthernet0 3389
ip route 10.100.0.0 255.255.0.0 Tunnel0
ip route 10.118.0.0 255.255.255.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip sla auto discovery
no cdp run
!
access-list 23 permit 192.168.242.0 0.0.0.255

Open in new window


To summarize:
- I can ping all hosts on remote network from both console & LAN.
- Using telnet in console to test FTP seems to work but not from LAN.
- Using telnet in console to test RDP does not work nor does it work from LAN.
- The remote hosts offering FTP/RDP I know are functional. We currently have a leased line (T1) that they allowed access to their network and I am able to use remote ftp/rdp. We are getting rid of the leased line and moving, hence the move to site-to-site vpn.
LVL 3
jtorrrresAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matt VCommented:
It sounds like they have not opened all the required ports on their end.  The ACL for the leased line might not be the same ACL for the VPN tunnel.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jtorrrresAuthor Commented:
Thanks for the reply. I ended up finding out last night that they were having some routing issues. The ports were already open. After they resolved the routes, traffic was flowing.

In either case, it was on their end!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.