Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN

we are connecting Cisco 887VA router with various other Non-Cisco routers.

VPN tunnels are up and we can ping devices on the remote network through the VPN.

However, we have a few devices (on the Cisco lan) that provide a web interface (NAS etc) and these are not accessible over the VPN, the connection seems to just hang like its waiting for a response but it never gets one and eventually the browser times out.

Strangely, if I request a page that does not exist from the NAS (eg. http://192.168.3.x/test) I will receive a 404 error so it is kind of working.

Similar problems with SMB, if I access \\192.168.3.x I can list the content (4 items) but if I go into one of those folders (containing 10+ items) it hangs and eventually gives up.

I have tried adjusting MTU and MSS with no change.

Any ideas cause I'm running out of hair

My config is attached, it is most likely a mess as this is my first Cisco device so please go easy

Everyone's tags (4)

Re: HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN


If I understand correctly, the problem is related to services that are also available on the public network via static translation?

1. I checked your configuration and it isn't clear to me.

For example:

ip nat pool windisplay0 netmask type rotary



ip nat inside destination list windisplay0 pool windisplay0

The syntax is:

ip nat inside destination { list  pool  | static   }

Where is the ACL "windisplay0" ?

2. I suggest read this document: Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static


Best regards,

________________ Best regards, MB

Re: HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN

Sorry about the confusion factor, it seems I inadvertantly snipped some of the config.

I have attached new config.

Thank you!


Re: HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN


i can get you a example VPN config (Cisco 1841)  that works:

// INSIDE IP | and RemoteSite IP

access-list 102 permit ip

access-list 102 permit ip

access-list 150 deny   ip

access-list 150 deny   ip

access-list 150 permit ip any

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key CRYPTOKEYHERE address REMOTEWANIP

crypto isakmp keepalive 30

crypto ipsec transform-set SETNAME esp-aes esp-sha-hmac

crypto map B2B 10 ipsec-isakmp

description b2b-fw

set peer PEERWANIP

set security-association lifetime seconds 86400

set transform-set SETNAME

match address 102

interface FastEthernet0/0

description wan_primary

crypto map B2B

ip nat outside

interface FastEthernet0/1

ip nat inside

route-map nonat permit 10

match ip address 150

ip nat inside source route-map nonat interface FastEthernet0/0 overload



CreatePlease to create content
Content for Community-Ad
FusionCharts will render here