10-04-2005 10:43 AM - edited 02-21-2020 02:01 PM
I have a VPN tunnel set up and I can ping across it but my application is failing and I believe its because I am not allowing 2 ports (TCP ports 19813 and 19814) through. I'm unclear how I should go about allowing these ports through. Do I need to add a permit statement to my "nonat" access-list or do I need to add a permit statement to my "outside" interface access-list?
The remote users have an IP address of 172.16.5.x /24 and they are trying to connect to users on the 192.168.200.x /24 and 192.168.201.x /24. I am able to ping from the 192.168.200.x /24 to the 172.16.5.0 /24.
The below commands are what I currently have in my PIX.
My current nonat access-list:
access-list nonat permit ip 192.168.201.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list nonat permit ip 192.168.200.0 255.255.255.0 172.16.5.0 255.255.255.0
My current outside interface access-list:
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq smtp
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq citrix-ica
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq 500
access-list acl_inbound permit esp any host xx.xx.xx.xx
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq https
Solved! Go to Solution.
10-04-2005 07:59 PM
If you have the "sysopt connection permit-ipsec" command in your configuration, the access list statements related to traffic on the 172.16.5.0 network are ignored. Remove the "sysopt connection permit-ipsec" command for more control of your VPN traffic. .
After removing that command, enter the following four lines to the outside interface access list:
access-list acl_inbound permit esp 172.16.5.0 255.255.255.0 host x.x.x.x
access-list acl_inbound permit udp 172.16.5.0 255.255.255.0 host x.x.x.x eq isakmp
access-list acl_inbound permit ip 172.16.5.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list acl_inbound permit ip 172.16.5.0 255.255.255.0 192.168.200.0 255.255.255.0
x.x.x.x = IP address of outside interface
You should see a change in the way traffic passes through the Pix.
10-04-2005 12:50 PM
Add the following lines to your outside interface access list:
access-list acl_inbound permit esp 172.16.5.0 255.255.255.0 host x.x.x.x
access-list acl_inbound permit udp 172.16.5.0 255.255.255.0 host x.x.x.x eq isakmp
x.x.x.x = IP address of outside interface
If you have the "sysopt connection permit-ipsec" in your configuration, the rules in your outside interface access list will not be applied to IPSEC-protected traffic.
10-04-2005 01:40 PM
I do have "sysopt connection permit-ipsec" in my config, do you have any other ideas?
10-04-2005 07:59 PM
If you have the "sysopt connection permit-ipsec" command in your configuration, the access list statements related to traffic on the 172.16.5.0 network are ignored. Remove the "sysopt connection permit-ipsec" command for more control of your VPN traffic. .
After removing that command, enter the following four lines to the outside interface access list:
access-list acl_inbound permit esp 172.16.5.0 255.255.255.0 host x.x.x.x
access-list acl_inbound permit udp 172.16.5.0 255.255.255.0 host x.x.x.x eq isakmp
access-list acl_inbound permit ip 172.16.5.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list acl_inbound permit ip 172.16.5.0 255.255.255.0 192.168.200.0 255.255.255.0
x.x.x.x = IP address of outside interface
You should see a change in the way traffic passes through the Pix.
10-04-2005 02:18 PM
If I understand right what you are exlaining then your VPN Site-2-Site Tunnel is allready up, but you are not able to connect to a specific port right.
The VPN Tunnel is not controlled by the outside interface access-list if there is one then it is in the VPN config.
The problem could be:
1. Setup of the access-list:
NOTE: Your NONAT looks ok !
PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet
PIX(config)# nat (inside) 0 access-list NONAT
Then you can restrict access to a few ports or IP addresses on both sides. Check if you have that kind of access-list in your PIX setup.
PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet
PIX(config)# crypto map REMOTE 10 match address VPN
Normaly the VPN Tunnels does not have restrictions !
2.) Investigate if you have routing problems. Can you ping or traceroute from one or the other sides.
Might be good starting point to try to ping from the Destination server where you try to connect. Try another port or application as Remote Desktop server.
3.) That port might be just allowed from the local LAN but not from the remote one. See if there is a local firewall service running.
4.) Troubleshoot with the capture command on the PIX to see until who the packets are going:
example:
access-list 120 permit tcp any any eq 19813
access-list 120 permit tcp any any eq 19814
capture vpncap access-list 120 interface inside
show capture vpncap access-list 120 detail
to remove the capture:
no capture http access-list 120 interface inside
Hope this gives a good starting point.
sincerely
Patrick
10-05-2005 04:36 AM
As someone already said, the access-list on your outside interface does not have anything to do with this, neither does your NAT statements.
Do you have an access-list applied to your inside interface (where the users come from) ?
Because that will also need to allow access to the ports you mention.
Don't you get any log messages on the PIX when you try to access these ports ?
10-05-2005 09:43 AM
Thanks to all that responed!!! I got it fixed.
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide