Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot port scan to devices at the other end of the VPN tunnel


I have setup a VPN tunnel between a 515E & an 857 router. The tunnel is established via the internet and hosts on both ends can ping each other. The 515E is the hub device. All sites connect to this firewall. The 857 router is placed at a remote site.

The problem i have is that although the tunnel is established, it seems that the connectivity is not as it should be. When I run a port scan from one of the servers at the central site to a device on the remote site, the scan results tell me that only port 80 is open. For example I scanned the 857 router. Although it has telnet and http enabled, The scan result was that only http is open. Because of this, I am unable to remotely administer WinXP desktops and network printers at the remote site. The pix firewall has sysopt enabled. I have not enabled the firewall feature on the router neither have i added any access lists. Can you think of any reason why this behaviour would occur?


1.The 515E configuration related to the remote site is as follows.

2.access-list outside_cryptomap_40 extended permit ip

3.crypto ipsec transform-set esp-aes-256 esp-sha-hmac

4.crypto map outside_map 40 set transform-set

5.access-list inside_nat0_outbound extended permit ip

6.crypto map outside_map 40 set peer 124.254.x.x

7.crypto map outside_map 40 set transform-set 124.254.x.x

8.sysopt connection permit-ipsec


The VPN config on the 857 router is:

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxxxx address 218.185.xx.xx

crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to218.185.x.x

set peer 218.185.x.x

set transform-set ESP-3DES-SHA

match address 100

access-list 100 remark IPSec Rule

access-list 100 permit ip

access-list 101 deny ip


New Member

Re: Cannot port scan to devices at the other end of the VPN tunn


i am trying to understand, in 857 Router, what this access-list 101 is for?


New Member

Re: Cannot port scan to devices at the other end of the VPN tunn

My understanding is that access-list 101 forces all traffic destined for network through the IPsec tunnel and the rest is allowed to go to the internet. The router is configured for split tunnel. Internet traffic is not routed through the head office. Please see example below.

route-map SDM_RMAP_1 permit 1

match ip address 101

Extended IP access list 101

10 deny ip

30 permit ip any

New Member

Re: Cannot port scan to devices at the other end of the VPN tunn

Why are you using this command:

crypto map outside_map 40 set transform-set 124.254.x.x

Also where is you route map applied to for ACL 101?