Avatar of jtorrrres
jtorrrresFlag for United States of America asked on

Cisco 800 series VPN Site to Site issue

Hello Experts,

Let me start out by saying that I am beginner when it comes to Cisco security. I have managed to get a site-to-site tunnel working between my Cisco 819 ISR router and the corp router, which FYI, I do not have access to. I was provided the information needed to establish the link and was able to get it working using VTI.

The issue I am having currently is that from my internal network (PCs connected in Fa0-3, which all are part of Vlan1), I can not access the FTP/RDP hosts located in the remote network. I can ping the hosts from the lan side and from with in the console it self. When I test telnet ftp using source Tunnel0 & GigabitEtherner0 it works and shows a status letting me know its open.

I am sure I missing something here. Any suggestions are much appreciated.

Remote network/hosts:

10.100.0.0/16
10.118.0.0/24

10.118.0.20 (ftp)
10.100.22.60 (rdp)
10.100.22.50 (rdp)

Below is a sanitized version of config:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ********* address 206.X.X.X
!
crypto ipsec transform-set ESP-MD5-HMAC esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile PROFILE1
 set transform-set ESP-MD5-HMAC
!
!
interface Tunnel0
 ip unnumbered GigabitEthernet0
 tunnel source GigabitEthernet0
 tunnel mode ipsec ipv4
 tunnel destination 206.X.X.X
 tunnel protection ipsec profile PROFILE1
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 description WAN Connection$ETH-WAN$$FW_OUTSIDE$
 ip address 68.X.X.X 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description Inside Network$FW_INSIDE$
 ip address 192.168.242.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip default-gateway 68.x.x.x
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.242.6 3389 interface GigabitEthernet0 3389
ip route 10.100.0.0 255.255.0.0 Tunnel0
ip route 10.118.0.0 255.255.255.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip sla auto discovery
no cdp run
!
access-list 23 permit 192.168.242.0 0.0.0.255

Open in new window


To summarize:
- I can ping all hosts on remote network from both console & LAN.
- Using telnet in console to test FTP seems to work but not from LAN.
- Using telnet in console to test RDP does not work nor does it work from LAN.
- The remote hosts offering FTP/RDP I know are functional. We currently have a leased line (T1) that they allowed access to their network and I am able to use remote ftp/rdp. We are getting rid of the leased line and moving, hence the move to site-to-site vpn.
CiscoVPNHardware Firewalls

Avatar of undefined
Last Comment
jtorrrres

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Matt V

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
jtorrrres

Thanks for the reply. I ended up finding out last night that they were having some routing issues. The ports were already open. After they resolved the routes, traffic was flowing.

In either case, it was on their end!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy