Question : Cisco 870 Series, Site-to-Site VPN only allowing traffic one way.

I have two sites, that both have Cisco 870 Series routers.  I currently have a Site to Site VPN setup on Site 2 that connects back to Site 1.  The connection establishes fine and i can use Remote Desktop to connect to computers at Site 1 from Site 2, but I cannot use remote desktop  from computers at Site 1 to connect to a server at Site 2. I need the VPN tunnel to be bidirectional with the traffic flow and allow connections from either side on any port.

Im including my two configs.

Thanks in Advance
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
Site 1
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco871w
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization ipmobile default group rad_pmip 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name cpd.local
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key REMOVED address xxx.xxx.0.1
!
crypto isakmp client configuration group REMOVED
 key REMOVED
 pool SDM_POOL_1
 acl 103
 max-users 30
crypto isakmp profile sdm-ike-profile-1
   match identity group REMOVED
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toXXX.XXX.XXX.1
 set peer XXX.XXX.XXX.1
 set transform-set ESP-3DES-SHA1 
 match address 101
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address OUT.SID.ADD.49 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size REMOVED transmit-key
 encryption mode REMOVED mandatory 
 !
 ssid ssidwifi
    authentication open 
    wpa-psk ascii REMOVED
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.0.10 255.255.255.0
 ip access-group 150 in
 ip nat inside
 ip virtual-reassembly
!
ip local pool SDM_POOL_1 172.16.0.1 172.16.0.255
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.54
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 100 remark SDM_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 150 remark port 80 block
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 deny   tcp host 192.168.0.x any eq www
access-list 150 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CC
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level REMOVED
 password REMOVED
 transport input telnet ssh
!
scheduler max-task-time 5000
end
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
Site 2
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret REMOVED
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
!
aaa session-id common
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
!
dot11 syslog
no ip source-route
ip cef
!
!
no ip bootp server
ip domain name domain.local
ip name-server 192.168.1.10
!
!
!
REMOVED
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key REMOVED address xxx.xxx.xxx.49
!
crypto isakmp client configuration group REMOVED
 key REMOVED
 pool SDM_POOL_1
 acl 100
 max-users 14
 netmask 255.255.255.240
crypto isakmp profile sdm-ike-profile-1
   match identity group REMOVED
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toxxx.xxx.xxx.49
 set peer xxx.xxx.xxx.49
 set transform-set ESP-3DES-SHA1 
 match address 101
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address xxx.xxx.xxx.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 rem.ove.d.2
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 remark SDM_ACL Catagory=2
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!

REMOVED

banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Answer : Cisco 870 Series, Site-to-Site VPN only allowing traffic one way.

I was finally able to figure out the source of my problem.  After completely reconfiguring the both routers and still having the same problem, I began to troubleshoot the VPN tunnel.  I sent a ping with a packet size of 1450 and saw that packets were being fragmented.  I reduced the packet size till there were no fragments. Optimal seemed to be 1410 but i decided to configure bot of the FastEthernet4 interfaces on each router with an mtu of 1400 to be on the safe side.  After this everything seemed to work great.
Random Solutions  
 
programming4us programming4us