Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX VPN Port traffic not transferring...

I have a PIX to PIX VPN established. I can ping back and forth from client to client on their respective network over the VPN. I can get DNS resolution over the VPN. I can even login to a domain across the VPN, however I cannot seem to get any port related traffic to establish. I try using both terminal services and citrix clients to connect to the servers across the VPN, but get timed out on both services.

What is restricting my port traffic? I cant find it.

PIX 515: (servers are on the inside of this network, 10.128.1.0)

PIX Version 6.2(2)

...

names

name x.x.x.98 GreenBuilding

name x.x.x.126 PalHall

...

access-list vpn1 permit ip 10.128.1.0 255.255.255.0 10.128.15.0 255.255.255.0

access-list vpn1 permit ip host GreenBuilding 10.128.15.0 255.255.255.0

access-list vpn1 permit ip 10.128.15.0 255.255.255.0 10.128.1.0 255.255.255.0

access-list vpn1 permit ip 10.128.1.0 255.255.255.0 host PalHall

access-list testonly permit ip any any

...

ip address outside GreenBuilding 255.255.255.248

ip address inside 10.128.1.250 255.255.255.0

...

global (outside) 1 interface

nat (inside) 0 access-list vpn1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.100 10.128.1.3 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.102 10.128.1.4 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.101 10.128.1.7 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host x.x.x.100 eq citrix-ica any

conduit permit tcp any eq 3000 any

conduit permit tcp host x.x.x.102 eq citrix-ica any

conduit permit tcp host x.x.x.102 eq 3389 any

conduit permit tcp host x.x.x.100 eq 3389 any

conduit permit tcp host x.x.x.101 eq www any

conduit permit tcp host x.x.x.101 eq 3389 any

route outside 0.0.0.0 0.0.0.0 x.x.x.97 1

...

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address vpn1

crypto map vpn1 10 set pfs

crypto map vpn1 10 set peer PalHall

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address PalHall netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

: end

PIX 506: (network 10.128.15.0 needs to access server port traffic on the 10.128.1.0 network)

PIX Version 6.2(2)

...

hostname PalHall

domain-name PalHall.com

...

names

name 64.53.6.98 GreenBuilding

name 64.203.210.126 PalHall

...

access-list vpn1 permit ip 10.128.15.0 255.255.255.0 10.128.1.0 255.255.255.0

access-list vpn1 permit ip host PalHall 10.128.1.0 255.255.255.0

access-list vpn1 permit ip 10.128.1.0 255.255.255.0 10.128.15.0 255.255.255.0

access-list vpn1 permit ip 10.128.15.0 255.255.255.0 host GreenBuilding

access-list testonly permit ip any any

...

ip address outside pppoe setroute

ip address inside 10.128.15.100 255.255.255.0

...

global (outside) 2 interface

nat (inside) 0 access-list vpn1

nat (inside) 2 10.128.15.0 255.255.255.0 0 0

access-group testonly in interface outside

access-group testonly in interface inside

...

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address vpn1

crypto map vpn1 10 set pfs

crypto map vpn1 10 set peer GreenBuilding

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address GreenBuilding netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

...

: end

1 REPLY
New Member

Re: PIX VPN Port traffic not transferring...

I still have not resolved this issue, i need help.

I ran a port scanner across the vpn. I get 2 ports back, 25 and 110. If i try to telnet to those ports i get a blank telnet screen. The IP that im telnetting to should not have email services on it. I'm confused what telnet to port 25 is connecting to on that ip. Regardless, I cant get any other ports to show up across the VPN.

If I could get port traffic across this VPN i would be good to go.

Also, if I cant get anything else off a port scan, how is it I get name resolution and can login to the domain across the VPN?

202
Views
0
Helpful
1
Replies