Cisco 800 series VPN Site to Site issue
Hello Experts,
Let me start out by saying that I am beginner when it comes to Cisco security. I have managed to get a site-to-site tunnel working between my Cisco 819 ISR router and the corp router, which FYI, I do not have access to. I was provided the information needed to establish the link and was able to get it working using VTI.
The issue I am having currently is that from my internal network (PCs connected in Fa0-3, which all are part of Vlan1), I can not access the FTP/RDP hosts located in the remote network. I can ping the hosts from the lan side and from with in the console it self. When I test telnet ftp using source Tunnel0 & GigabitEtherner0 it works and shows a status letting me know its open.
I am sure I missing something here. Any suggestions are much appreciated.
Remote network/hosts:
10.100.0.0/16
10.118.0.0/24
10.118.0.20 (ftp)
10.100.22.60 (rdp)
10.100.22.50 (rdp)
Below is a sanitized version of config:
To summarize:
- I can ping all hosts on remote network from both console & LAN.
- Using telnet in console to test FTP seems to work but not from LAN.
- Using telnet in console to test RDP does not work nor does it work from LAN.
- The remote hosts offering FTP/RDP I know are functional. We currently have a leased line (T1) that they allowed access to their network and I am able to use remote ftp/rdp. We are getting rid of the leased line and moving, hence the move to site-to-site vpn.
Let me start out by saying that I am beginner when it comes to Cisco security. I have managed to get a site-to-site tunnel working between my Cisco 819 ISR router and the corp router, which FYI, I do not have access to. I was provided the information needed to establish the link and was able to get it working using VTI.
The issue I am having currently is that from my internal network (PCs connected in Fa0-3, which all are part of Vlan1), I can not access the FTP/RDP hosts located in the remote network. I can ping the hosts from the lan side and from with in the console it self. When I test telnet ftp using source Tunnel0 & GigabitEtherner0 it works and shows a status letting me know its open.
I am sure I missing something here. Any suggestions are much appreciated.
Remote network/hosts:
10.100.0.0/16
10.118.0.0/24
10.118.0.20 (ftp)
10.100.22.60 (rdp)
10.100.22.50 (rdp)
Below is a sanitized version of config:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ********* address 206.X.X.X
!
crypto ipsec transform-set ESP-MD5-HMAC esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PROFILE1
set transform-set ESP-MD5-HMAC
!
!
interface Tunnel0
ip unnumbered GigabitEthernet0
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination 206.X.X.X
tunnel protection ipsec profile PROFILE1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
description WAN Connection$ETH-WAN$$FW_OUTSIDE$
ip address 68.X.X.X 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description Inside Network$FW_INSIDE$
ip address 192.168.242.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip default-gateway 68.x.x.x
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.242.6 3389 interface GigabitEthernet0 3389
ip route 10.100.0.0 255.255.0.0 Tunnel0
ip route 10.118.0.0 255.255.255.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip sla auto discovery
no cdp run
!
access-list 23 permit 192.168.242.0 0.0.0.255
To summarize:
- I can ping all hosts on remote network from both console & LAN.
- Using telnet in console to test FTP seems to work but not from LAN.
- Using telnet in console to test RDP does not work nor does it work from LAN.
- The remote hosts offering FTP/RDP I know are functional. We currently have a leased line (T1) that they allowed access to their network and I am able to use remote ftp/rdp. We are getting rid of the leased line and moving, hence the move to site-to-site vpn.
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
In either case, it was on their end!