Solved: Allowing ports through a VPN tunnel question

anowell · ‎10-04-2005

I have a VPN tunnel set up and I can ping across it but my application is failing and I believe its because I am not allowing 2 ports (TCP ports 19813 and 19814) through. I'm unclear how I should go about allowing these ports through. Do I need to add a permit statement to my "nonat" access-list or do I need to add a permit statement to my "outside" interface access-list?

The remote users have an IP address of 172.16.5.x /24 and they are trying to connect to users on the 192.168.200.x /24 and 192.168.201.x /24. I am able to ping from the 192.168.200.x /24 to the 172.16.5.0 /24.

The below commands are what I currently have in my PIX.

My current nonat access-list:

access-list nonat permit ip 192.168.201.0 255.255.255.0 172.16.5.0 255.255.255.0

access-list nonat permit ip 192.168.200.0 255.255.255.0 172.16.5.0 255.255.255.0

My current outside interface access-list:

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq smtp

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq citrix-ica

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq 500

access-list acl_inbound permit esp any host xx.xx.xx.xx

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq https

pwicks · ‎10-04-2005

If you have the "sysopt connection permit-ipsec" command in your configuration, the access list statements related to traffic on the 172.16.5.0 network are ignored. Remove the "sysopt connection permit-ipsec" command for more control of your VPN traffic. .

After removing that command, enter the following four lines to the outside interface access list:

access-list acl_inbound permit esp 172.16.5.0 255.255.255.0 host x.x.x.x

access-list acl_inbound permit udp 172.16.5.0 255.255.255.0 host x.x.x.x eq isakmp

access-list acl_inbound permit ip 172.16.5.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list acl_inbound permit ip 172.16.5.0 255.255.255.0 192.168.200.0 255.255.255.0

x.x.x.x = IP address of outside interface

You should see a change in the way traffic passes through the Pix.

View solution in original post

pwicks · ‎10-04-2005

Add the following lines to your outside interface access list:

access-list acl_inbound permit esp 172.16.5.0 255.255.255.0 host x.x.x.x

access-list acl_inbound permit udp 172.16.5.0 255.255.255.0 host x.x.x.x eq isakmp

x.x.x.x = IP address of outside interface

If you have the "sysopt connection permit-ipsec" in your configuration, the rules in your outside interface access list will not be applied to IPSEC-protected traffic.

anowell · ‎10-04-2005

I do have "sysopt connection permit-ipsec" in my config, do you have any other ideas?

pwicks · ‎10-04-2005

If you have the "sysopt connection permit-ipsec" command in your configuration, the access list statements related to traffic on the 172.16.5.0 network are ignored. Remove the "sysopt connection permit-ipsec" command for more control of your VPN traffic. .

After removing that command, enter the following four lines to the outside interface access list:

access-list acl_inbound permit esp 172.16.5.0 255.255.255.0 host x.x.x.x

access-list acl_inbound permit udp 172.16.5.0 255.255.255.0 host x.x.x.x eq isakmp

access-list acl_inbound permit ip 172.16.5.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list acl_inbound permit ip 172.16.5.0 255.255.255.0 192.168.200.0 255.255.255.0

x.x.x.x = IP address of outside interface

You should see a change in the way traffic passes through the Pix.

Patrick Iseli · ‎10-04-2005

If I understand right what you are exlaining then your VPN Site-2-Site Tunnel is allready up, but you are not able to connect to a specific port right.

The VPN Tunnel is not controlled by the outside interface access-list if there is one then it is in the VPN config.

The problem could be:

1. Setup of the access-list:

NOTE: Your NONAT looks ok !

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# nat (inside) 0 access-list NONAT

Then you can restrict access to a few ports or IP addresses on both sides. Check if you have that kind of access-list in your PIX setup.

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto map REMOTE 10 match address VPN

Normaly the VPN Tunnels does not have restrictions !

2.) Investigate if you have routing problems. Can you ping or traceroute from one or the other sides.

Might be good starting point to try to ping from the Destination server where you try to connect. Try another port or application as Remote Desktop server.

3.) That port might be just allowed from the local LAN but not from the remote one. See if there is a local firewall service running.

4.) Troubleshoot with the capture command on the PIX to see until who the packets are going:

example:

access-list 120 permit tcp any any eq 19813

access-list 120 permit tcp any any eq 19814

capture vpncap access-list 120 interface inside

show capture vpncap access-list 120 detail

to remove the capture:

no capture http access-list 120 interface inside

Hope this gives a good starting point.

sincerely

Patrick

jakob.langgaard · ‎10-05-2005

As someone already said, the access-list on your outside interface does not have anything to do with this, neither does your NAT statements.

Do you have an access-list applied to your inside interface (where the users come from) ?

Because that will also need to allow access to the ports you mention.

Don't you get any log messages on the PIX when you try to access these ports ?

anowell · ‎10-05-2005

Thanks to all that responed!!! I got it fixed.

Tony