10-04-2005 11:06 AM
I have a VPN tunnel set up and I can ping across it but my application is failing and I believe its because I am not allowing 2 ports (TCP ports 19813 and 19814) through. I'm unclear how I should go about allowing these ports through. Do I need to add a permit statement to my "nonat" access-list or do I need to add a permit statement to my "outside" interface access-list?
The remote users have an IP address of 172.16.5.x /24 and they are trying to connect to users on the 192.168.200.x /24 and 192.168.201.x /24. I am able to ping from the 192.168.200.x /24 to the 172.16.5.0 /24.
The below commands are what I currently have in my PIX.
My current nonat access-list:
access-list nonat permit ip 192.168.201.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list nonat permit ip 192.168.200.0 255.255.255.0 172.16.5.0 255.255.255.0
My current outside interface access-list:
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq smtp
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq citrix-ica
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq 500
access-list acl_inbound permit esp any host xx.xx.xx.xx
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www
access-list acl_inbound permit tcp any host xx.xx.xx.xx eq https
Solved! Go to Solution.
10-04-2005 07:23 PM
firstly, have you disable the commnad "sysopt connection permit-ipsec" on the pix? with this command enabled, which is on by default, the pix will ignore any acl for encrypted traffic. so if you haven't diable this command, then the acl you applied on the outside int will not make any difference.
nonetheless, if "sysopt connection permit-ipsec" is still enabled, then all protocol/port should be allowed.
you mentioned you were able to ping from 192.168.200.0 to 172.16.5.0. how about from 172.16.5.0 to 192.168.200.0 and 192.168.201.0?
also, i was just wondering whether the vpn is lan-lan or remote vpn access (i.e. using cisco vpn client).
10-04-2005 11:20 AM
Anthony
Your nonat list looks fine to me and should include the addresses that you need already. I believe that you do need to add to the access list on the outside interface to permit those two TCP ports.
HTH
Rick
10-04-2005 12:16 PM
Rick, Thanks so much for posting!
Anyone else have any input?
10-04-2005 07:23 PM
firstly, have you disable the commnad "sysopt connection permit-ipsec" on the pix? with this command enabled, which is on by default, the pix will ignore any acl for encrypted traffic. so if you haven't diable this command, then the acl you applied on the outside int will not make any difference.
nonetheless, if "sysopt connection permit-ipsec" is still enabled, then all protocol/port should be allowed.
you mentioned you were able to ping from 192.168.200.0 to 172.16.5.0. how about from 172.16.5.0 to 192.168.200.0 and 192.168.201.0?
also, i was just wondering whether the vpn is lan-lan or remote vpn access (i.e. using cisco vpn client).
10-05-2005 09:33 AM
jackko,
I added the "sysopt connection permit-ipsec" command and that fixed my issue. Just want to say thank you!
Tony
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: