Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA issue

Hello all,

I have Cisco ASA with configured VPN (IP Site to site) connected to corporate network.
Everything works fine, inside hosts are able to browse intranet pages, use some applications on intranet, etc..

We  now implementig SAP so I need to configure my Cisco ASA to permit  conection from inside host to server (located on intranet) over port  6000 - 6001 and back.
Im able to ping server address but not connect over mentonied port.

Please help me on how to resolve this issue.

Thanks in advance

7 REPLIES

Re: CISCO ASA 5510 configure inbound with the ports 6000 - 6001

Hi,

To allow certain ports from one interface to another you need to check that those ports are allowed on the ACL applied on the ASA.

If you're able to PING there's connectivity.. just check the ACL.

Also, if the traffic is through the VPN, normally all IP traffic is permitted (no ports filtered).

If you want to run a test you can use Packet-Tracer to simulate the connection on those ports and have the ASA respond if the connection should be allowed or denied by any reason.

Federico.

New Member

Re: CISCO ASA 5510 configure inbound with the ports 6000 - 6001

Hi thank you for the answer,

There is no ACL which may block this also packet tracer show that everything is OK.

Traffic is through the VPN and yes all IP traffic is permitted.

I just know what is blocking this.

Here is my config...

Re: CISCO ASA 5510 configure inbound with the ports 6000 - 6001

Ok, the communication is from an IP in the inside of this ASA through the tunnel to reach an inside device on the other end?

What are the src/dst IPs?

Federico.

New Member

Re: CISCO ASA 5510 configure inbound with the ports 6000 - 6001

inside source 10.207.42.13

dest               10.224.68.10

Re: CISCO ASA 5510 configure inbound with the ports 6000 - 6001

Ok, the configuration seems fine and should allow communication over those ports to the remote server.

As packet-tracer indicates the packets should be allowed.

Question...

Can you check that the connection on those ports are reaching the server itself?

Check on the server if it's receiving packets on those ports, perhaps is just the application not working properly...

Federico.

New Member

Re: CISCO ASA 5510 configure inbound with the ports 6000 - 6001

Hi,

many thanks  for helping me....

I dont have way to check server on the other end and colleagues on the other side telling me that error is fom my side

So I use Nmap to scan mentonied server and It seems that ports 6000/6001..are closed from other side.

I try telnet over port 1720 (seems to be open) and there was some traffic from both side.

PORT     STATE  SERVICE      VERSION

443/tcp  closed https
1720/tcp open   H.323/Q.931?
1863/tcp open   msnp?
2010/tcp closed search
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6009/tcp closed X11:9
6025/tcp closed unknown
6059/tcp closed X11:59

I just want to be sure that everything is OK from my side configuration.

New Member

Re: CISCO ASA 5510 configure inbound with the ports 6000 - 6001

Built outbound TCP connection 1469567 for outside:10.224.68.10/6001   (10.224.68.10/6001) to inside:10.207.42.13/38177 (10.207.42.13/38177)
Teardown TCP   connection 1469567 for outside:10.224.68.10/6001 to inside:10.207.42.13/38177   duration 0:00:00 bytes 0 TCP Reset-O
Built outbound   TCP connection 1469569 for outside:10.224.68.10/6000 (10.224.68.10/6000) to   inside:10.207.42.13/45924 (10.207.42.13/45924)
Teardown TCP   connection 1469569 for outside:10.224.68.10/6000 to inside:10.207.42.13/45924   duration 0:00:00 bytes 0 TCP Reset-O

I found this in my logs?

942
Views
0
Helpful
7
Replies