Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to access remote servers across VPN ipsec tunnel

Hello! Having an issue where I am unable to access or ping servers on the remote sides through a site to site tunnel.

Heres the setup –

Site A –

Cisco 861 10.1.1.1/24 network

UC500 172.16.4.1/24 (phones)

Site B –

Cisco UC520 10.0.0.1/24 (data side) 172.16.6.1/24 (phones)

At Site A when trying to access a server with port 3389 opened to the outside world at Site B, I cannot ping or access it using its internal IP.   I can however ping or access other systems/devices that do not have any ports forwarded to them.  Also, this is true for both sides of the tunnel.   

Any help is greatly appreciated!!

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Unable to access remote servers across VPN ipsec tunnel

Hi!

Please make the following changes:

Site A:

interface loopback 10

ip address 1.254.254.1 255.255.255.252

exit

!

ip access-list extended NAT_BYPASS_VPN

permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

exit

!

route-map INSIDE_ROUTE-MAP permit 10

set ip next-hop 1.254.254.2

match ip address NAT_BYPASS_VPN

exit

!

interface Vlan1

ip policy route-map INSIDE_ROUTE-MAP

exit

!

ip access-list extended SDM_1

no permit ip host 10.1.1.23 0.0.0.0 255.255.255.0

no permit ip host 98.x.x.133 10.0.0.0 0.0.0.255

no permit ip 98.x.x.0 0.0.0.255 10.0.0.0 0.0.0.255

!

Site B:

ip access-list extended NAT_BYPASS_VPN

permit ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip 172.16.6.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 172.16.6.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255

exit

!

interface loopback 10

ip address 1.254.254.1 255.255.255.252

exit

!

route-map INSIDE_ROUTE-MAP permit 10

set ip next-hop 1.254.254.2

match ip address NAT_BYPASS_VPN

exit

!

interface BVI1

ip policy route-map INSIDE_ROUTE-MAP

!

interface BVI100

ip policy route-map INSIDE_ROUTE-MAP

!

Let me know how it works and remember that entries are evaluated in order of their sequence numbers until the first match occurs. If no match is found, packets are routed normally.

Portu.

Please rate if you find it helpful.

Unable to access remote servers across VPN ipsec tunnel

You are very welcome

Take care!!

3 REPLIES

Re: Unable to access remote servers across VPN ipsec tunnel

Hi!

Please make the following changes:

Site A:

interface loopback 10

ip address 1.254.254.1 255.255.255.252

exit

!

ip access-list extended NAT_BYPASS_VPN

permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

exit

!

route-map INSIDE_ROUTE-MAP permit 10

set ip next-hop 1.254.254.2

match ip address NAT_BYPASS_VPN

exit

!

interface Vlan1

ip policy route-map INSIDE_ROUTE-MAP

exit

!

ip access-list extended SDM_1

no permit ip host 10.1.1.23 0.0.0.0 255.255.255.0

no permit ip host 98.x.x.133 10.0.0.0 0.0.0.255

no permit ip 98.x.x.0 0.0.0.255 10.0.0.0 0.0.0.255

!

Site B:

ip access-list extended NAT_BYPASS_VPN

permit ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip 172.16.6.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 172.16.6.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255

exit

!

interface loopback 10

ip address 1.254.254.1 255.255.255.252

exit

!

route-map INSIDE_ROUTE-MAP permit 10

set ip next-hop 1.254.254.2

match ip address NAT_BYPASS_VPN

exit

!

interface BVI1

ip policy route-map INSIDE_ROUTE-MAP

!

interface BVI100

ip policy route-map INSIDE_ROUTE-MAP

!

Let me know how it works and remember that entries are evaluated in order of their sequence numbers until the first match occurs. If no match is found, packets are routed normally.

Portu.

Please rate if you find it helpful.

New Member

Unable to access remote servers across VPN ipsec tunnel

That did the trick, thanks so much for the help!!

Unable to access remote servers across VPN ipsec tunnel

You are very welcome

Take care!!

864
Views
5
Helpful
3
Replies