Cisco 800 series VPN Site to Site issue
Hello Experts,
Let me start out by saying that I am beginner when it comes to Cisco security. I have managed to get a site-to-site tunnel working between my Cisco 819 ISR router and the corp router, which FYI, I do not have access to. I was provided the information needed to establish the link and was able to get it working using VTI.
The issue I am having currently is that from my internal network (PCs connected in Fa0-3, which all are part of Vlan1), I can not access the FTP/RDP hosts located in the remote network. I can ping the hosts from the lan side and from with in the console it self. When I test telnet ftp using source Tunnel0 & GigabitEtherner0 it works and shows a status letting me know its open.
I am sure I missing something here. Any suggestions are much appreciated.
Remote network/hosts:
10.100.0.0/16
10.118.0.0/24
10.118.0.20 (ftp)
10.100.22.60 (rdp)
10.100.22.50 (rdp)
Below is a sanitized version of config:
To summarize:
- I can ping all hosts on remote network from both console & LAN.
- Using telnet in console to test FTP seems to work but not from LAN.
- Using telnet in console to test RDP does not work nor does it work from LAN.
- The remote hosts offering FTP/RDP I know are functional. We currently have a leased line (T1) that they allowed access to their network and I am able to use remote ftp/rdp. We are getting rid of the leased line and moving, hence the move to site-to-site vpn.
Let me start out by saying that I am beginner when it comes to Cisco security. I have managed to get a site-to-site tunnel working between my Cisco 819 ISR router and the corp router, which FYI, I do not have access to. I was provided the information needed to establish the link and was able to get it working using VTI.
The issue I am having currently is that from my internal network (PCs connected in Fa0-3, which all are part of Vlan1), I can not access the FTP/RDP hosts located in the remote network. I can ping the hosts from the lan side and from with in the console it self. When I test telnet ftp using source Tunnel0 & GigabitEtherner0 it works and shows a status letting me know its open.
I am sure I missing something here. Any suggestions are much appreciated.
Remote network/hosts:
10.100.0.0/16
10.118.0.0/24
10.118.0.20 (ftp)
10.100.22.60 (rdp)
10.100.22.50 (rdp)
Below is a sanitized version of config:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ********* address 206.X.X.X
!
crypto ipsec transform-set ESP-MD5-HMAC esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PROFILE1
set transform-set ESP-MD5-HMAC
!
!
interface Tunnel0
ip unnumbered GigabitEthernet0
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination 206.X.X.X
tunnel protection ipsec profile PROFILE1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
description WAN Connection$ETH-WAN$$FW_OUTSIDE$
ip address 68.X.X.X 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description Inside Network$FW_INSIDE$
ip address 192.168.242.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip default-gateway 68.x.x.x
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.242.6 3389 interface GigabitEthernet0 3389
ip route 10.100.0.0 255.255.0.0 Tunnel0
ip route 10.118.0.0 255.255.255.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip sla auto discovery
no cdp run
!
access-list 23 permit 192.168.242.0 0.0.0.255To summarize:
- I can ping all hosts on remote network from both console & LAN.
- Using telnet in console to test FTP seems to work but not from LAN.
- Using telnet in console to test RDP does not work nor does it work from LAN.
- The remote hosts offering FTP/RDP I know are functional. We currently have a leased line (T1) that they allowed access to their network and I am able to use remote ftp/rdp. We are getting rid of the leased line and moving, hence the move to site-to-site vpn.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In either case, it was on their end!