Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Allowing ports through a VPN tunnel question

I have a VPN tunnel set up and I can ping across it but my application is failing and I believe its because I am not allowing 2 ports (TCP ports 19813 and 19814) through. I'm unclear how I should go about allowing these ports through. Do I need to add a permit statement to my "nonat" access-list or do I need to add a permit statement to my "outside" interface access-list?

The remote users have an IP address of 172.16.5.x /24 and they are trying to connect to users on the 192.168.200.x /24 and 192.168.201.x /24. I am able to ping from the 192.168.200.x /24 to the 172.16.5.0 /24.

The below commands are what I currently have in my PIX.

My current nonat access-list:

access-list nonat permit ip 192.168.201.0 255.255.255.0 172.16.5.0 255.255.255.0

access-list nonat permit ip 192.168.200.0 255.255.255.0 172.16.5.0 255.255.255.0

My current outside interface access-list:

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq smtp

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq citrix-ica

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq 500

access-list acl_inbound permit esp any host xx.xx.xx.xx

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq www

access-list acl_inbound permit tcp any host xx.xx.xx.xx eq https

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Allowing ports through a VPN tunnel question

firstly, have you disable the commnad "sysopt connection permit-ipsec" on the pix? with this command enabled, which is on by default, the pix will ignore any acl for encrypted traffic. so if you haven't diable this command, then the acl you applied on the outside int will not make any difference.

nonetheless, if "sysopt connection permit-ipsec" is still enabled, then all protocol/port should be allowed.

you mentioned you were able to ping from 192.168.200.0 to 172.16.5.0. how about from 172.16.5.0 to 192.168.200.0 and 192.168.201.0?

also, i was just wondering whether the vpn is lan-lan or remote vpn access (i.e. using cisco vpn client).

4 REPLIES
Hall of Fame Super Silver

Re: Allowing ports through a VPN tunnel question

Anthony

Your nonat list looks fine to me and should include the addresses that you need already. I believe that you do need to add to the access list on the outside interface to permit those two TCP ports.

HTH

Rick

New Member

Re: Allowing ports through a VPN tunnel question

Rick, Thanks so much for posting!

Anyone else have any input?

Gold

Re: Allowing ports through a VPN tunnel question

firstly, have you disable the commnad "sysopt connection permit-ipsec" on the pix? with this command enabled, which is on by default, the pix will ignore any acl for encrypted traffic. so if you haven't diable this command, then the acl you applied on the outside int will not make any difference.

nonetheless, if "sysopt connection permit-ipsec" is still enabled, then all protocol/port should be allowed.

you mentioned you were able to ping from 192.168.200.0 to 172.16.5.0. how about from 172.16.5.0 to 192.168.200.0 and 192.168.201.0?

also, i was just wondering whether the vpn is lan-lan or remote vpn access (i.e. using cisco vpn client).

New Member

Re: Allowing ports through a VPN tunnel question

jackko,

I added the "sysopt connection permit-ipsec" command and that fixed my issue. Just want to say thank you!

Tony

204
Views
0
Helpful
4
Replies
CreatePlease to create content