День добрый! Просьба помочь разобраться нужно настроить доступ между офисами. В головном стоит Cisco CISCO1921/K9.
конфиг
Building configuration...

Current configuration : 14501 bytes
!

version 15.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ss-elektrozavodskaya-rt
!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.153-3.M5.bin
boot-end-marker
!
!
logging buffered 65536

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp VPNRA-AUTH-LIST local
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.10.1.200 10.10.1.255
ip dhcp excluded-address 10.10.1.0 10.10.1.49
!
ip dhcp pool VPNRA-ADDRESS-POOL
network 10.10.1.0 255.255.255.0
domain-name maestro-travel.ru
default-router 10.10.1.1
dns-server 10.10.1.1
lease 0 6
!
!
!
ip domain name xxxxx-xxxxxx.ru
ip name-server 8.8.8.8
ip inspect name Voice sip
ip inspect name Voice sip-tls
ip cef
no ipv6 cef
!
parameter-map type regex SIP-REG-RESP-403
pattern "403 Forbidden"

multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group VPN-RA
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 10
no l2tp tunnel authentication
!
!
crypto pki trustpoint TP-self-signed-2260597427
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2260597427
revocation-check none
rsakeypair TP-self-signed-2260597427
!
!
      quit
license udi pid CISCO1921/K9 sn FCZ1725927N
license accept end user agreement
!
!

!
redundancy
!
crypto ikev2 authorization policy MS-AUTH
!
crypto ikev2 proposal MS-PROPO
encryption aes-cbc-256
integrity sha384
group 2
!
crypto ikev2 policy MS
proposal MS-PROPO
!
!
crypto ikev2 profile MS-PROF
match address local interface GigabitEthernet0/0
match identity remote any
identity local address xxx.248.xxx.66
authentication remote pre-share
authentication remote rsa-sig
authentication local rsa-sig
nat keepalive 10
!
!
!
ip ssh version 2
!
class-map type inspect sip match-any CL-SIP-REG-403
match response status regex SIP-REG-RESP-403
!
policy-map type inspect sip PM-SIP-403-LOG
class type inspect sip CL-SIP-REG-403
  log
!
zone security dmz
zone security inside
zone security outside
!
crypto keyring VPNRA-KEYRING  
  pre-shared-key address 0.0.0.0 0.0.0.0 key TOURNET-key-for-VPN
crypto keyring DMVPN-KEYRING  
  pre-shared-key address xxx.10.xxx.235 key sUXFHpT6axMVcCEc
  pre-shared-key address 192.168.0.2 key sUXFHpT6axMVcCEc
  pre-shared-key address 192.168.1.2 key sUXFHpT6axMVcCEc
crypto keyring NK-KEYRING  
  pre-shared-key address xxx.237.xxx.132 key NK2015Voice
crypto keyring ZYXEL  
  pre-shared-key address xxx.73.xxx.106 key Zyxel2018
crypto logging session
!
crypto vpn anyconnect usbflash0:/webvpn/anyconnect-win-3.1.08009-k9.pkg sequence 1
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 5
encr aes 256
group 5
!
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 14
crypto isakmp key Zyxel2018 address xxx.73.xxx.106  
crypto isakmp keepalive 10
!
crypto isakmp client configuration group maestro-vpn
key TOURNET-key-for-VPN
domain maestro-travel.ru
crypto isakmp profile DMVPN-ISAKMP-PROFILE
   keyring DMVPN-KEYRING
   match identity address xxx.10.xxx.235 255.255.255.255
   match identity address 192.168.0.2 255.255.255.255
   match identity address 192.168.1.2 255.255.255.255
crypto isakmp profile VPNRA-ISAKMP-PROFILE
   keyring VPNRA-KEYRING
   match identity address 0.0.0.0
crypto isakmp profile NK-ISAKMP-PROFILE
   keyring NK-KEYRING
   match identity address xxxx.237.xxxx.132 255.255.255.255
   keepalive 300 retry 60
crypto isakmp profile ZYXEL
   keyring ZYXEL
   match identity address xxx.73.xxx.106 255.255.255.255
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-AES-SHA1 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set ipsec esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile DMVPN-IPSEC-PROFILE
set transform-set ESP-AES-SHA
set isakmp-profile DMVPN-ISAKMP-PROFILE
!
crypto ipsec profile NK-IPSEC-PROFILE
set transform-set ESP-AES-SHA1
set isakmp-profile NK-ISAKMP-PROFILE
!
crypto ipsec profile ZYXEL
set transform-set ipsec
set isakmp-profile ZYXEL
!
!
!
crypto dynamic-map VPNRA-DYN-CMAP 5
set peer xxx.73.xxxx.106
set transform-set ipsec
set isakmp-profile ZYXEL
match address ZYX
crypto dynamic-map VPNRA-DYN-CMAP 10
set transform-set ESP-AES-SHA ESP-AES-SHA1 ESP-3DES-SHA
set isakmp-profile VPNRA-ISAKMP-PROFILE
!
!
!
!
crypto map VPNRA-CMAP isakmp authorization list VPNRA-AUTH-LIST
crypto map VPNRA-CMAP client configuration address respond
crypto map VPNRA-CMAP 10 ipsec-isakmp dynamic VPNRA-DYN-CMAP
!
!
!
!
!
interface Loopback10
ip address 172.16.255.1 255.255.255.255
!
interface Loopback101
ip address 10.10.1.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel1
ip address 172.16.2.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination xxx.237.xxx.132
tunnel protection ipsec profile NK-IPSEC-PROFILE
!
interface Tunnel10
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip nhrp authentication TURDMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip ospf message-digest-key 1 md5 7 021F0B4E19041A2F42571E0B0A0317
ip ospf network point-to-multipoint
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description === OUTSIDE ===
ip address xxx.248.xxx.66 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect Voice in
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPNRA-CMAP
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 20
no ip address
spanning-tree portfast
!        
interface GigabitEthernet0/1/5
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface Virtual-Template1
ip unnumbered Vlan20
!
interface Virtual-Template10
ip unnumbered Loopback101
ip nat inside
ip virtual-reassembly in
peer default ip address dhcp-pool VPNRA-ADDRESS-POOL
ppp mtu adaptive
ppp authentication ms-chap-v2 VPNRA-AUTH-LIST
ppp ipcp dns 10.10.1.1
!
interface Vlan1
no ip address
interface Vlan2
shutdown
!
interface Vlan10
description === DMZ ===
ip address xxx.xxx.155.233 255.255.255.248
no ip redirects
no ip proxy-arp
ip virtual-reassembly in
!0
description === LAN ===
ip address 10.10.0.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
router ospf 100
router-id 172.16.255.1
area 0 authentication message-digest
area 1 authentication message-digest
area 1 stub
network 10.10.0.0 0.0.0.255 area 1
network 10.10.1.0 0.0.0.255 area 1
network 10.10.20.0 0.0.0.255 area 0
network 62.xxx.xxxx.232 0.0.0.7 area 1
network 172.16.1.0 0.0.0.255 area 0
network 172.16.255.1 0.0.0.0 area 0
!
ip local pool VPNRA-IPSEC-POOL 10.10.2.1 10.10.2.30
ip forward-protocol nd
!
no ip http server
ip http authentication aaa
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.0.10 1433 interface GigabitEthernet0/0 1433
ip nat inside source static tcp 10.10.0.10 3389 xx.248.xxx.67 3389 extendable
ip nat inside source static 10.10.0.13 xxx.248.xxx.68
ip nat inside source static 10.10.0.121 xxx.248.xxx.69
ip nat inside source static 10.10.0.12 xxx.248.xxx.71
ip nat inside source static 10.10.0.55 xxx.248.xxx.77
ip route 0.0.0.0 0.0.0.0 89.248.225.65
ip route 192.168.203.0 255.255.255.0 Tunnel1
!
ip access-list extended NAT
deny   ip 10.10.0.0 0.0.0.255 10.10.2.0 0.0.0.255
deny   ip 10.10.0.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.0.0 0.0.0.255 any
permit ip 10.10.1.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended TEMP
deny   ip host xxx.149.xxx.96 host xxx.105.xxx.235
permit ip host xxx.53.xxx.40 host xxx.105.xxx.235
permit ip host xxx.14.xxx.79 host xxx.105.xxx.235
permit ip host xxx.32.xxx.95 host xxx.105.xxx.235
permit ip any any
ip access-list extended ZYX
permit ip 10.10.0.0 0.0.0.255 10.10.20.0 0.0.0.255
!
no cdp run
!
!
!
tftp-server 10.10.10.25
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
!
!
!
control-plane
!
!
banner motd ^C

!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
logging synchronous
transport input ssh
line vty 5 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp master 2
ntp server 194.190.168.1 minpoll 9
ntp server ru.pool.ntp.org
!
!
webvpn gateway gw1
hostname IOS-Self-Signed-Certificate-2260597427
ip address xx.248.xxx.66 port 443  
http-redirect port 80
ssl encryption aes256-sha1
ssl trustpoint TP-self-signed-2260597427
logging enable
inservice
!
webvpn context Maestro
secondary-color white
title-color #ff9900
text-color black
virtual-template 1
gateway gw1
max-users 10
logging enable
!
ssl authenticate verify all
inservice
!
policy group MaestroP1
   functions svc-enabled
   svc address-pool "VPNRA-IPSEC-POOL" netmask 255.255.255.0
   svc default-domain "xxxxxxxxxx"
   svc keep-client-installed
   svc module vpngina
   svc split include 10.10.0.0 255.255.255.0
default-group-policy MaestroP1
!
end

Во втором офисе стоит Zyxel Kennetic III
На нем установлен ipsec-vpn
Туннель поднимается но на циске проброшены наружу порты на несколько серверов в локальной сети. И вот на эти сервера нет доступа по айписеку. Что можно сделать?