Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot port scan to devices at the other end of the VPN tunnel

Hi,

I have setup a VPN tunnel between a 515E & an 857 router. The tunnel is established via the internet and hosts on both ends can ping each other. The 515E is the hub device. All sites connect to this firewall. The 857 router is placed at a remote site.

The problem i have is that although the tunnel is established, it seems that the connectivity is not as it should be. When I run a port scan from one of the servers at the central site to a device on the remote site, the scan results tell me that only port 80 is open. For example I scanned the 857 router. Although it has telnet and http enabled, The scan result was that only http is open. Because of this, I am unable to remotely administer WinXP desktops and network printers at the remote site. The pix firewall has sysopt enabled. I have not enabled the firewall feature on the router neither have i added any access lists. Can you think of any reason why this behaviour would occur?

--------------------------------------------------------

1.The 515E configuration related to the remote site is as follows.

2.access-list outside_cryptomap_40 extended permit ip 10.112.1.0 255.255.255.0 10.112.20.0 255.255.255.0

3.crypto ipsec transform-set 10.112.20.0 esp-aes-256 esp-sha-hmac

4.crypto map outside_map 40 set transform-set 10.112.20.0

5.access-list inside_nat0_outbound extended permit ip 10.112.1.0 255.255.255.0 10.112.20.0 255.255.255.0

6.crypto map outside_map 40 set peer 124.254.x.x

7.crypto map outside_map 40 set transform-set 124.254.x.x

8.sysopt connection permit-ipsec

-------------------------------------------------------

The VPN config on the 857 router is:

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxxxx address 218.185.xx.xx

crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to218.185.x.x

set peer 218.185.x.x

set transform-set ESP-3DES-SHA

match address 100

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.112.20.0 0.0.0.255 10.112.1.0 0.0.0.255

access-list 101 deny ip 10.112.20.0 0.0.0.255 10.112.1.0 0.0.0.255

Thanks

3 REPLIES
New Member

Re: Cannot port scan to devices at the other end of the VPN tunn

Hi

i am trying to understand, in 857 Router, what this access-list 101 is for?

Reddy

New Member

Re: Cannot port scan to devices at the other end of the VPN tunn

My understanding is that access-list 101 forces all traffic destined for network 10.112.1.0 through the IPsec tunnel and the rest is allowed to go to the internet. The router is configured for split tunnel. Internet traffic is not routed through the head office. Please see example below.

route-map SDM_RMAP_1 permit 1

match ip address 101

Extended IP access list 101

10 deny ip 10.112.20.0 0.0.0.255 10.112.1.0 0.0.0.255

30 permit ip 10.112.20.0 0.0.0.255 any

New Member

Re: Cannot port scan to devices at the other end of the VPN tunn

Why are you using this command:

crypto map outside_map 40 set transform-set 124.254.x.x

Also where is you route map applied to for ACL 101?

473
Views
0
Helpful
3
Replies