cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
718
Views
0
Helpful
12
Replies

Connection VPN has the problem

rechard_david
Level 1
Level 1

Dear All,

Now i have the problem on VPN site to site.

i want to specific on port but i don't know command specific on port, one more i don't know VPN connection support when i use specific on port or not?

This command that i can used VPN (mean it working):

access-list outside extended permit icmp any any

access-list 170 extended permit ip 192.2.2.0 255.255.255.0 192.1.1.0 255.255.255.0

access-list VPN extended permit ip 192.2.2.0 255.255.255.0 192.1.1.0 255.255.255.0

this command allow all port so i don't want.Could you tell me other command for specific on port only?

Best Regards,

Rechard

12 Replies 12

steve_steele
Level 1
Level 1

If I understand the question correctly ( and I'm not 100% certain that I do )

To permit inbound VPN traffic without opening all ports create an access list that allows isakmp and esp traffic from the remote host inbound.

permit udp host <> any eq isakmp

permit esp host <> any

Hope this helps

Steve

Dear Steve and All,

I'm glad to here from you.

i tried to test command that you gave me but it still the problem.

Please see the attach file that i want.

could you give me for detail access-list for use port in attach file when i use VPN connection(Site to Site)?

Please help me!!!!

Best Regards,

Rechard

Hi Rechard can you post the full config for the ASA5510.

I'll then be able to see where the access-list is being placed, whether nat is involved etc.

Steve

Dear Steve and All,

Kindly find the attach file.

Please help me to solve this problem.and could you correct somecommand.

Best Regard,

Rechard

From the HQ end interesting traffic has SOURCE Ports of 1302, 2161, 1606, 3001.

From the Client End Interesting Traffic has DESTINATION Ports of 1302, 2161, 1606, 3001.

Where you specify the ports in the access list is different for source ports or destination ports.

so to define the interesting traffic on the HQ ASA use

access-list 103 extended permit tcp host 192.1.1.5 eq 1302 host 192.2.2.5

access-list 103 extended permit tcp host 192.1.1.5 eq 2161 host 192.2.2.5

access-list 103 extended permit tcp host 192.1.1.5 eq 1606 host 192.2.2.5

access-list 103 extended permit tcp host 192.1.1.5 eq 3001 host 192.2.2.5

access-list 103 extended permit icmp any any

On the Client Side the the destination ports are 1302, 2161, 1606, 3001 so this looks correct

access-list 104 extended permit tcp host 192.2.2.5 host 192.1.1.5 eq 1302

access-list 104 extended permit tcp host 192.2.2.5 host 192.1.1.5 eq 2161

access-list 104 extended permit tcp host 192.2.2.5 host 192.1.1.5 eq 1606

access-list 104 extended permit tcp host 192.2.2.5 host 192.1.1.5 eq 3001

access-list 104 extended permit icmp any any

Hope this helps

Regards

Steve

Dear Steve,

I tried to put this command from you but it don't work.it can ping HQ to Branch and Branch can ping to HQ.but i tried to use VNC for remote but it don't work,I don't why?

Could you help me?

Kindly find attachment file.

Best Regards,

Rechard

I think the Access Lists are correct although I'm not sure of the specific ports as they are not familier to me. I think VNC sometimes uses tcp 5900.

I think that your issue now may be because you have the following commands assigned.

access-group 104 in interface outside

access-group 103 in interface outside

The access lists are correct for determining the interesting traffic however because this traffic is encrypted the outside interfaces recieve esp and isakmp traffic not tcp traffic.

If you remove the 2 commands above I think we'll be closer.

Dear Steve,

After i take out access-group on ASA, i can't ping HQ to Branch and Branch to HQ.but VPN connection is ok. On port VNC it has to 5800 and 5900, now i use 5800.

Best Regards,

Rechard

create a separate access list and attach to the outside interface on each router.

access-list 105 extended permit icmp any any

access-list 105 extended permit esp any any

access-list 105 extended permit udp any any eq 500

access-group 105 in interface outside

Dear Steven,

You mean that access-list 105 above need to put in the other router, right?

In my diagram like this

Client->ASA---(straight cable)--ASA->Client

Note:

for testing not yet connect to ISP .

Best Regards,

Rechard

You can run this on both ASA without alteration.

----------------------------

access-list 105 extended permit icmp any any

access-list 105 extended permit esp any any

access-list 105 extended permit udp any any eq 500

access-group 105 in interface outside

---------------------------------------

The access lists 103 and 104 define what traffic gets encrypted.

access list 105 says only allow vpn and icmp traffic inbound.

nearly there. ;o)

Steve

Dear Steven,

Could you help me!!!

Please see the attach file.

Best Regards,

Rechard

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: