cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1739
Views
0
Helpful
33
Replies

ASA 5505 pinhole to device between site to site VPN.

SNChelpdesk
Level 1
Level 1

How do you open up a pinhole using port 3001 to devices with a site-to-site VPN?

33 Replies 33

andrew.prince
Level 10
Level 10

Expand on your question please?

I have a site-to-site VPN. I have a device in one location and the software in the other in which they need in to interchange on port 3001. I haven't been able to figure out how to get both the device and software to communicate.

OK - with that in mind, can you answer:-

1) From thje remote end, can you ping the "device"?

2) From a computer that is running the software can it ping the "device" ?

3) Can the "device" ping the remote computer trying to access the software?

4) Do you control both ends of the VPN tunnel?

5) Are you blocking traffic at one end or both ends?

1) I can ping the device on the inside of one end but not the other.

2) I can't ping the device across the tunnel at all.

3) I can control both ends of the tunnel.

Basic connectivity is your first issue - post both end's config for review, remove sensitive information.

Panos Kampanakis
Cisco Employee
Cisco Employee

You mean you want hosts in site1 to be able to talk to hosts in site2 on port 3001 through the site2site VPN?

In that case you need to make sure that this port is include in the crypto-map ACL of course so it goes encrypted and also if you have ACLs blocking that port on the inside of the sites open those up.

I hope it helps.

PK

That helps but I'm new at this can you explain on how to setup those actions.

If you would like a copy of the running configs I can provide one.

Yes please

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0

access-list inside_nat0_outbound remark For remote access clients

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 65.82.224.50 host MorganCityPublic

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list MUVPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list SNC_splitTunnelAcl standard permit any

access-list outside_nat0_outbound_3 extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound

One Side:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.82.224.50 255.255.255.248

extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Local_LAN_Access standard permit host 0.0.0.0

Second Side:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.82.227.138 255.255.255.248

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.2.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.4.5.0 255.255.255.224

access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0

access-list outside_6_cryptomap extended permit ip host 192.168.2.60 192.168.7.0 255.255.255.0

access-list outside_cryptomap_6 extended permit ip host 192.168.2.60 host 192.168.11.1

access-list outside_cryptomap_4 extended permit ip host 192.168.2.60 host 192.168.11.1

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_access_in_1 extended permit ip any any

access-list inside_access_in_1 extended permit icmp any any

access-list Mobile_splitTunnelAcl standard permit any

access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

can you post the

crypto config

nat config

and can you put them in text files - much eaiser to read.

Now what IP is the "device" and what IP is the computer trying to access the device?

The "device" IP is 192.168.2.20 and the computer IP is 192.168.1.5

i believe your configs looks fine. you are permiting IP on the tunnel so that should take care of your interesting traffic on the tunnel. can you ping the hosts from the pixs?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: