troubleshooting Question

Cisco 800 series VPN Site to Site issue

Avatar of jtorrrres
jtorrrresFlag for United States of America asked on
VPNHardware FirewallsCisco
2 Comments1 Solution1146 ViewsLast Modified:
Hello Experts,

Let me start out by saying that I am beginner when it comes to Cisco security. I have managed to get a site-to-site tunnel working between my Cisco 819 ISR router and the corp router, which FYI, I do not have access to. I was provided the information needed to establish the link and was able to get it working using VTI.

The issue I am having currently is that from my internal network (PCs connected in Fa0-3, which all are part of Vlan1), I can not access the FTP/RDP hosts located in the remote network. I can ping the hosts from the lan side and from with in the console it self. When I test telnet ftp using source Tunnel0 & GigabitEtherner0 it works and shows a status letting me know its open.

I am sure I missing something here. Any suggestions are much appreciated.

Remote network/hosts:

10.100.0.0/16
10.118.0.0/24

10.118.0.20 (ftp)
10.100.22.60 (rdp)
10.100.22.50 (rdp)

Below is a sanitized version of config:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ********* address 206.X.X.X
!
crypto ipsec transform-set ESP-MD5-HMAC esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile PROFILE1
 set transform-set ESP-MD5-HMAC
!
!
interface Tunnel0
 ip unnumbered GigabitEthernet0
 tunnel source GigabitEthernet0
 tunnel mode ipsec ipv4
 tunnel destination 206.X.X.X
 tunnel protection ipsec profile PROFILE1
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 description WAN Connection$ETH-WAN$$FW_OUTSIDE$
 ip address 68.X.X.X 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description Inside Network$FW_INSIDE$
 ip address 192.168.242.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip default-gateway 68.x.x.x
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.242.6 3389 interface GigabitEthernet0 3389
ip route 10.100.0.0 255.255.0.0 Tunnel0
ip route 10.118.0.0 255.255.255.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip sla auto discovery
no cdp run
!
access-list 23 permit 192.168.242.0 0.0.0.255

To summarize:
- I can ping all hosts on remote network from both console & LAN.
- Using telnet in console to test FTP seems to work but not from LAN.
- Using telnet in console to test RDP does not work nor does it work from LAN.
- The remote hosts offering FTP/RDP I know are functional. We currently have a leased line (T1) that they allowed access to their network and I am able to use remote ftp/rdp. We are getting rid of the leased line and moving, hence the move to site-to-site vpn.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 2 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros