cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
445
Views
0
Helpful
4
Replies

Allowing ports through a VPN tunnel question

anowell
Level 1
Level 1

I have a VPN tunnel set up and I can ping across it but my application is failing and I believe its because I am not allowing 2 ports (TCP ports 19813 and 19814) through. I'm unclear how I should go about allowing these ports through. Do I need to add a permit statement to my "nonat" access-list or do I need to add a permit statement to my "outside" interface access-list?

The remote users have an IP address of 172.16.5.x /24 and they are trying to connect to users on the 192.168.200.x /24 and 192.168.201.x /24. I am able to ping from the 192.168.200.x /24 to the 172.16.5.0 /24.

The below commands are what I currently have in my PIX.

My current nonat access-list:

access-list nonat permit ip 192.168.201.0 255.255.255.0 172.16.5.0 255.255.255.0

access-list nonat permit ip 192.168.200.0 255.255.255.0 172.16.5.0 255.255.255.0

My current outside interface access-list:

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq smtp

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq citrix-ica

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq 500

access-list acl_inbound permit esp any host xx.xx.xx.xx

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq https

1 Accepted Solution

Accepted Solutions

jackko
Level 7
Level 7

firstly, have you disable the commnad "sysopt connection permit-ipsec" on the pix? with this command enabled, which is on by default, the pix will ignore any acl for encrypted traffic. so if you haven't diable this command, then the acl you applied on the outside int will not make any difference.

nonetheless, if "sysopt connection permit-ipsec" is still enabled, then all protocol/port should be allowed.

you mentioned you were able to ping from 192.168.200.0 to 172.16.5.0. how about from 172.16.5.0 to 192.168.200.0 and 192.168.201.0?

also, i was just wondering whether the vpn is lan-lan or remote vpn access (i.e. using cisco vpn client).

View solution in original post

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

Anthony

Your nonat list looks fine to me and should include the addresses that you need already. I believe that you do need to add to the access list on the outside interface to permit those two TCP ports.

HTH

Rick

HTH

Rick

Rick, Thanks so much for posting!

Anyone else have any input?

jackko
Level 7
Level 7

firstly, have you disable the commnad "sysopt connection permit-ipsec" on the pix? with this command enabled, which is on by default, the pix will ignore any acl for encrypted traffic. so if you haven't diable this command, then the acl you applied on the outside int will not make any difference.

nonetheless, if "sysopt connection permit-ipsec" is still enabled, then all protocol/port should be allowed.

you mentioned you were able to ping from 192.168.200.0 to 172.16.5.0. how about from 172.16.5.0 to 192.168.200.0 and 192.168.201.0?

also, i was just wondering whether the vpn is lan-lan or remote vpn access (i.e. using cisco vpn client).

jackko,

I added the "sysopt connection permit-ipsec" command and that fixed my issue. Just want to say thank you!

Tony

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: