Cannot port scan to devices at the other end of the VPN tunnel
I have setup a VPN tunnel between a 515E & an 857 router. The tunnel is established via the internet and hosts on both ends can ping each other. The 515E is the hub device. All sites connect to this firewall. The 857 router is placed at a remote site.
The problem i have is that although the tunnel is established, it seems that the connectivity is not as it should be. When I run a port scan from one of the servers at the central site to a device on the remote site, the scan results tell me that only port 80 is open. For example I scanned the 857 router. Although it has telnet and http enabled, The scan result was that only http is open. Because of this, I am unable to remotely administer WinXP desktops and network printers at the remote site. The pix firewall has sysopt enabled. I have not enabled the firewall feature on the router neither have i added any access lists. Can you think of any reason why this behaviour would occur?
Re: Cannot port scan to devices at the other end of the VPN tunn
My understanding is that access-list 101 forces all traffic destined for network 10.112.1.0 through the IPsec tunnel and the rest is allowed to go to the internet. The router is configured for split tunnel. Internet traffic is not routed through the head office. Please see example below.
route-map SDM_RMAP_1 permit 1
match ip address 101
Extended IP access list 101
10 deny ip 10.112.20.0 0.0.0.255 10.112.1.0 0.0.0.255
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...