Access List

Answered Question
Apr 30th, 2010

I want to allow the following ports from this server 72.30.210.5 to this server 192.168.100.10.   I want to be able to run replication from server 72.30.210.5 to server 192.168.100.10 when I login to VPN client.  My group is tech support.  Is this how you would add the following statements?  Attached is the config file for your information.  Please let me know if you need additional information.

access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 eq domain
access-list acl_in extended permit udp host 72.30.210.5 host 192.168.100.10 eq domain
access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 eq ldap
access-list acl_in extended permit udp host 72.30.210.5 host 192.168.100.10 eq 389
access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 range 1024 65535

Thanks.

Laura

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 8 months ago

Laura,

You can definitely establish the L2L tunnel between an ASA and a Concentrator.

It does not really matter that they are different appliances, because they understand IPsec (which is a standard), so there's no problems in doing all combinations with Cisco devices like IOS routers, Firewalls, Concentrators or other vendors.

As well, you can establish the Cisco VPN client to connect to any of the Cisco VPN endpoints.

Hope it helps.

Federico.

Correct Answer by Jennifer Halim about 6 years 8 months ago

If you are running Domain Controller replication, best would be to create site-to-site VPN tunnel between your remote site and corporate office. You do not want to run clear text DC replication through the internet as it could be intercepted by hacker.

Here is a sample configuration on site-to-site VPN tunnel for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

If you decide to configure site-to-site VPN tunnel, you would also need to configure the corresponding corporate office to terminate the VPN tunnel. Are you also running ASA firewall at your corporate office?

Correct Answer by Jennifer Halim about 6 years 8 months ago

You can perform the replication from 72.30.210.5 towards the public ip address of 192.168.100.10 which is 66.102.7.89.

And on the access-list, you would need to permit the traffic towards the public ip address (66.102.7.89) instead of the private ip as the private ip is not accessible from the internet, as follows:

access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host  72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in  extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list  acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list  acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range  1024 65535

Are you sure that you need to open all TCP ports from the outside (on the last line of your ACL)?

I am not too sure what you mean by performing replication when you VPN in because your VPN client will be assigned 192.168.101.x ip address, and I assume that 72.30.210.5 is a server on the internet?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jennifer Halim Fri, 04/30/2010 - 21:52

You can perform the replication from 72.30.210.5 towards the public ip address of 192.168.100.10 which is 66.102.7.89.

And on the access-list, you would need to permit the traffic towards the public ip address (66.102.7.89) instead of the private ip as the private ip is not accessible from the internet, as follows:

access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host  72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in  extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list  acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list  acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range  1024 65535

Are you sure that you need to open all TCP ports from the outside (on the last line of your ACL)?

I am not too sure what you mean by performing replication when you VPN in because your VPN client will be assigned 192.168.101.x ip address, and I assume that 72.30.210.5 is a server on the internet?

laurabolda Sun, 05/02/2010 - 17:54

Halijenn,

Thanks for your prompt response and information.   I will make a change on the ACL.

On my last ACL line "access-list  acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range 1024 65535", I am not sure which ports to open.  So, I open all ports for now.

The server 72.30.210.5 is at the corporate office.  This server is a Domain Controller.  We want to be able to replicate Active Directory from the server 72.30.210.5 (main office) to the remote Domain Controller (66.102.7.89 ) at the remote office.

Please let me know if I still have not answered your questions or have any other questions.  Would you change the ACLs?

Thanks very much.

Laura

Correct Answer
Jennifer Halim Sun, 05/02/2010 - 18:12

If you are running Domain Controller replication, best would be to create site-to-site VPN tunnel between your remote site and corporate office. You do not want to run clear text DC replication through the internet as it could be intercepted by hacker.

Here is a sample configuration on site-to-site VPN tunnel for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

If you decide to configure site-to-site VPN tunnel, you would also need to configure the corresponding corporate office to terminate the VPN tunnel. Are you also running ASA firewall at your corporate office?

laurabolda Sun, 05/02/2010 - 19:47

Halijenn,

Thanks for your prompt response and information.  We have VPN 3000 Concentrator at the Corporate Office and ASA 5510 at the Remote Office.   Would it be still possible to setup Site-to-Site VPN because of the different type of appliances?  If not,  would I still be able to run the replication using VPN client to the ASA 5510 with the above ACL's?

access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host  72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in  extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list  acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list  acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range  1024 65535

Thank you very much.

Laura

Correct Answer
Federico Coto F... Sun, 05/02/2010 - 19:57

Laura,

You can definitely establish the L2L tunnel between an ASA and a Concentrator.

It does not really matter that they are different appliances, because they understand IPsec (which is a standard), so there's no problems in doing all combinations with Cisco devices like IOS routers, Firewalls, Concentrators or other vendors.

As well, you can establish the Cisco VPN client to connect to any of the Cisco VPN endpoints.

Hope it helps.

Federico.

laurabolda Mon, 05/03/2010 - 13:27

Thanks for your prompt response and information.  I have another question.  I am unable to ping to the outside server IP address 72.30.210.5 from the internal server 66.102.7.89.  I got the error message "Request timed out" when I ping to 72.30.210.5.   However, I am able to ping www.google.com, www.yahoo.com.  Could it be that ping is turned off at the firewall where server 72.30.210.5 is located?  Is there a way to troubleshoot why I am not able to ping to 72.30.210.5?  Thanks.

laurabolda Mon, 05/03/2010 - 14:53

Please ignore my question.  I found out that the firewall blocked ICMP.  Thanks.

Jennifer Halim Mon, 05/03/2010 - 14:56

You are absolutely correct. You can only ping the directly connected interface of the firewall, ie: from the inside network, you can only ping the inside interface of the firewall, and from the outside/internet, you can only ping the outside interface of the firewall.

Actions

This Discussion