10-23-2009 05:21 AM - edited 03-11-2019 09:30 AM
How do you open up a pinhole using port 3001 to devices with a site-to-site VPN?
10-23-2009 06:21 AM
Expand on your question please?
10-23-2009 06:26 AM
I have a site-to-site VPN. I have a device in one location and the software in the other in which they need in to interchange on port 3001. I haven't been able to figure out how to get both the device and software to communicate.
10-23-2009 06:31 AM
OK - with that in mind, can you answer:-
1) From thje remote end, can you ping the "device"?
2) From a computer that is running the software can it ping the "device" ?
3) Can the "device" ping the remote computer trying to access the software?
4) Do you control both ends of the VPN tunnel?
5) Are you blocking traffic at one end or both ends?
10-23-2009 06:35 AM
1) I can ping the device on the inside of one end but not the other.
2) I can't ping the device across the tunnel at all.
3) I can control both ends of the tunnel.
10-23-2009 06:41 AM
Basic connectivity is your first issue - post both end's config for review, remove sensitive information.
10-23-2009 06:29 AM
You mean you want hosts in site1 to be able to talk to hosts in site2 on port 3001 through the site2site VPN?
In that case you need to make sure that this port is include in the crypto-map ACL of course so it goes encrypted and also if you have ACLs blocking that port on the inside of the sites open those up.
I hope it helps.
PK
10-23-2009 06:31 AM
That helps but I'm new at this can you explain on how to setup those actions.
10-23-2009 06:41 AM
If you would like a copy of the running configs I can provide one.
10-23-2009 06:42 AM
Yes please
10-23-2009 06:59 AM
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0
access-list inside_nat0_outbound remark For remote access clients
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 65.82.224.50 host MorganCityPublic
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any
access-list MUVPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
access-list split standard permit 192.168.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list SNC_splitTunnelAcl standard permit any
access-list outside_nat0_outbound_3 extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_nat0_outbound
One Side:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 65.82.224.50 255.255.255.248
extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Local_LAN_Access standard permit host 0.0.0.0
10-23-2009 07:00 AM
Second Side:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 65.82.227.138 255.255.255.248
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.2.0 192.168.7.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.4.5.0 255.255.255.224
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0
access-list outside_6_cryptomap extended permit ip host 192.168.2.60 192.168.7.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip host 192.168.2.60 host 192.168.11.1
access-list outside_cryptomap_4 extended permit ip host 192.168.2.60 host 192.168.11.1
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended permit icmp any any
access-list Mobile_splitTunnelAcl standard permit any
access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
10-23-2009 07:02 AM
can you post the
crypto config
nat config
and can you put them in text files - much eaiser to read.
Now what IP is the "device" and what IP is the computer trying to access the device?
10-23-2009 07:07 AM
10-23-2009 07:42 AM
i believe your configs looks fine. you are permiting IP on the tunnel so that should take care of your interesting traffic on the tunnel. can you ping the hosts from the pixs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide