Question : Cisco 870 Series, Site-to-Site VPN only allowing traffic one way.

I have two sites, that both have Cisco 870 Series routers. I currently have a Site to Site VPN setup on Site 2 that connects back to Site 1. The connection establishes fine and i can use Remote Desktop to connect to computers at Site 1 from Site 2, but I cannot use remote desktop from computers at Site 1 to connect to a server at Site 2. I need the VPN tunnel to be bidirectional with the traffic flow and allow connections from either side on any port.

Im including my two configs.

Thanks in Advance

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:

           
           
          Site 1
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco871w
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization ipmobile default group rad_pmip 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name cpd.local
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key REMOVED address xxx.xxx.0.1
!
crypto isakmp client configuration group REMOVED
 key REMOVED
 pool SDM_POOL_1
 acl 103
 max-users 30
crypto isakmp profile sdm-ike-profile-1
   match identity group REMOVED
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toXXX.XXX.XXX.1
 set peer XXX.XXX.XXX.1
 set transform-set ESP-3DES-SHA1 
 match address 101
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address OUT.SID.ADD.49 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size REMOVED transmit-key
 encryption mode REMOVED mandatory 
 !
 ssid ssidwifi
    authentication open 
    wpa-psk ascii REMOVED
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.0.10 255.255.255.0
 ip access-group 150 in
 ip nat inside
 ip virtual-reassembly
!
ip local pool SDM_POOL_1 172.16.0.1 172.16.0.255
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.54
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 100 remark SDM_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 150 remark port 80 block
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CC
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level REMOVED
 password REMOVED
 transport input telnet ssh
!
scheduler max-task-time 5000
end

           
         

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:

           
           
          Site 2
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret REMOVED
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
!
aaa session-id common
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
!
dot11 syslog
no ip source-route
ip cef
!
!
no ip bootp server
ip domain name domain.local
ip name-server 192.168.1.10
!
!
!
REMOVED
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key REMOVED address xxx.xxx.xxx.49
!
crypto isakmp client configuration group REMOVED
 key REMOVED
 pool SDM_POOL_1
 acl 100
 max-users 14
 netmask 255.255.255.240
crypto isakmp profile sdm-ike-profile-1
   match identity group REMOVED
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toxxx.xxx.xxx.49
 set peer xxx.xxx.xxx.49
 set transform-set ESP-3DES-SHA1 
 match address 101
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address xxx.xxx.xxx.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 rem.ove.d.2
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 remark SDM_ACL Catagory=2
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!

REMOVED

banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

           
         

Answer : Cisco 870 Series, Site-to-Site VPN only allowing traffic one way.

I was finally able to figure out the source of my problem. After completely reconfiguring the both routers and still having the same problem, I began to troubleshoot the VPN tunnel. I sent a ping with a packet size of 1450 and saw that packets were being fragmented. I reduced the packet size till there were no fragments. Optimal seemed to be 1410 but i decided to configure bot of the FastEthernet4 interfaces on each router with an mtu of 1400 to be on the safe side. After this everything seemed to work great.