Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List

I want to allow the following ports from this server 72.30.210.5 to this server 192.168.100.10.   I want to be able to run replication from server 72.30.210.5 to server 192.168.100.10 when I login to VPN client.  My group is tech support.  Is this how you would add the following statements?  Attached is the config file for your information.  Please let me know if you need additional information.

access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 eq domain
access-list acl_in extended permit udp host 72.30.210.5 host 192.168.100.10 eq domain
access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 eq ldap
access-list acl_in extended permit udp host 72.30.210.5 host 192.168.100.10 eq 389
access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 range 1024 65535

Thanks.

Laura

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Access List

You can perform the replication from 72.30.210.5 towards the public ip address of 192.168.100.10 which is 66.102.7.89.

And on the access-list, you would need to permit the traffic towards the public ip address (66.102.7.89) instead of the private ip as the private ip is not accessible from the internet, as follows:

access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host  72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in  extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list  acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list  acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range  1024 65535

Are you sure that you need to open all TCP ports from the outside (on the last line of your ACL)?

I am not too sure what you mean by performing replication when you VPN in because your VPN client will be assigned 192.168.101.x ip address, and I assume that 72.30.210.5 is a server on the internet?

Cisco Employee

Re: Access List

If you are running Domain Controller replication, best would be to create site-to-site VPN tunnel between your remote site and corporate office. You do not want to run clear text DC replication through the internet as it could be intercepted by hacker.

Here is a sample configuration on site-to-site VPN tunnel for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

If you decide to configure site-to-site VPN tunnel, you would also need to configure the corresponding corporate office to terminate the VPN tunnel. Are you also running ASA firewall at your corporate office?

Re: Access List

Laura,

You can definitely establish the L2L tunnel between an ASA and a Concentrator.

It does not really matter that they are different appliances, because they understand IPsec (which is a standard), so there's no problems in doing all combinations with Cisco devices like IOS routers, Firewalls, Concentrators or other vendors.

As well, you can establish the Cisco VPN client to connect to any of the Cisco VPN endpoints.

Hope it helps.

Federico.

8 REPLIES
Cisco Employee

Re: Access List

You can perform the replication from 72.30.210.5 towards the public ip address of 192.168.100.10 which is 66.102.7.89.

And on the access-list, you would need to permit the traffic towards the public ip address (66.102.7.89) instead of the private ip as the private ip is not accessible from the internet, as follows:

access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host  72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in  extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list  acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list  acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range  1024 65535

Are you sure that you need to open all TCP ports from the outside (on the last line of your ACL)?

I am not too sure what you mean by performing replication when you VPN in because your VPN client will be assigned 192.168.101.x ip address, and I assume that 72.30.210.5 is a server on the internet?

New Member

Re: Access List

Halijenn,

Thanks for your prompt response and information.   I will make a change on the ACL.

On my last ACL line "access-list  acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range 1024 65535", I am not sure which ports to open.  So, I open all ports for now.

The server 72.30.210.5 is at the corporate office.  This server is a Domain Controller.  We want to be able to replicate Active Directory from the server 72.30.210.5 (main office) to the remote Domain Controller (66.102.7.89 ) at the remote office.

Please let me know if I still have not answered your questions or have any other questions.  Would you change the ACLs?

Thanks very much.

Laura

Cisco Employee

Re: Access List

If you are running Domain Controller replication, best would be to create site-to-site VPN tunnel between your remote site and corporate office. You do not want to run clear text DC replication through the internet as it could be intercepted by hacker.

Here is a sample configuration on site-to-site VPN tunnel for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

If you decide to configure site-to-site VPN tunnel, you would also need to configure the corresponding corporate office to terminate the VPN tunnel. Are you also running ASA firewall at your corporate office?

New Member

Re: Access List

Halijenn,

Thanks for your prompt response and information.  We have VPN 3000 Concentrator at the Corporate Office and ASA 5510 at the Remote Office.   Would it be still possible to setup Site-to-Site VPN because of the different type of appliances?  If not,  would I still be able to run the replication using VPN client to the ASA 5510 with the above ACL's?

access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host  72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in  extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list  acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list  acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range  1024 65535

Thank you very much.

Laura

Re: Access List

Laura,

You can definitely establish the L2L tunnel between an ASA and a Concentrator.

It does not really matter that they are different appliances, because they understand IPsec (which is a standard), so there's no problems in doing all combinations with Cisco devices like IOS routers, Firewalls, Concentrators or other vendors.

As well, you can establish the Cisco VPN client to connect to any of the Cisco VPN endpoints.

Hope it helps.

Federico.

New Member

Re: Access List

Thanks for your prompt response and information.  I have another question.  I am unable to ping to the outside server IP address 72.30.210.5 from the internal server 66.102.7.89.  I got the error message "Request timed out" when I ping to 72.30.210.5.   However, I am able to ping www.google.com, www.yahoo.com.  Could it be that ping is turned off at the firewall where server 72.30.210.5 is located?  Is there a way to troubleshoot why I am not able to ping to 72.30.210.5?  Thanks.

New Member

Re: Access List

Please ignore my question.  I found out that the firewall blocked ICMP.  Thanks.

Cisco Employee

Re: Access List

You are absolutely correct. You can only ping the directly connected interface of the firewall, ie: from the inside network, you can only ping the inside interface of the firewall, and from the outside/internet, you can only ping the outside interface of the firewall.

510
Views
0
Helpful
8
Replies