When they ping - does the VPN tunnel come up? If the tunnel is already up can you see packets being decrypted on the IPSE SA?

If I wanted to allow say telent and smtp to 2 sepearate servers from a remote ip subnet of 172.16.1.0/24 to my internal ip subnet of 192.168.254.0/24 I would write:-

access-list filter-out-to-the-LAN extended permit tcp 172.16.1.0 255.255.255.0 192.168.254.1 255.255.255.0 eq 25

access-list filter-out-to-the-LAN extended permit tcp 172.16.1.0 255.255.255.0 192.168.254.2 255.255.255.0 eq 23

access-list filter-out-to-the-LAN extended deny ip 172.16.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list filter-out-to-the-LAN extended permit ip any any

access-group filter-out-to-the-LAN out interface inside

HTH>

when i add the these configuration all the clients cannot access the webserver and the mail server stops recieving mails.

I will attach the configuration so you can tell me what is missing to be able the other VPN side to ping and access my server on port 9816.

thanks.

Firtly - you have not answered the original question "When they ping - does the VPN tunnel come up? If the tunnel is already up can you see packets being decrypted on the IPSE SA? " ?

And what access do you want to allow to the server 192.168.124.9 from 213.184.187.178 ??

yes the tunnel is up.

an i can see. packets decryption

#pkts encaps: 1123, #pkts encrypt: 1123, #pkts digest: 1123

#pkts decaps: 1268, #pkts decrypt: 1268, #pkts verify: 1268

yes allow to the server 192.168.124.9 from 213.184.187.178.

Did you initiate the VPN or did the remote end initiate it?

Again you did not answer the question "And what access do you want to allow to the server 192.168.124.9 from 213.184.187.178 "

What type of access?? ICMP or IP or specific TCP/UDP ports?

I initiate the VPN.

ICMP and TCP port 9816.

You need to clear down the tunnel down and get them to try and initiate from there side.

Try the below:-

access-list filter-out-to-the-LAN extended permit tcp host 213.184.187.178 host 192.168.124.9 eq 9816

access-list filter-out-to-the-LAN extended permit icmp host 213.184.187.178 host 192.168.124.9 echo

access-list filter-out-to-the-LAN extended deny ip host 213.184.187.178 host 192.168.124.9

access-list filter-out-to-the-LAN extended permit tcp any any

access-list filter-out-to-the-LAN extended permit udp any any

access-list filter-out-to-the-LAN extended permit icmp any any

access-group filter-out-to-the-LAN out interface inside

HTH

sorry they left the office i will have to wait till tommorrow to test. anyways i would like to offer you a job in Dubai are you interested?

OK - let me know how the testing goes. That is interesting - not for the forums though, it's against the rules!!

it did not work they are not able to ping or telnet on the host using port 9816. they also cannot make the connection up.

Have you debugged the ipsec session when they are trying to connect?

Does the applied access-list applied to the inside interface have any hits?

What debugges are available from the remote end?

What errors are the remote end seeing?

They need to confirm that the source and destination IP addresses & ICMP/TCP ports are configured correctly in the bidirectional VPN policy.

The fact you can intiate to them - but they cannot initiate to you, indicates an issue at their end.

HTH>

thanks andrew i just want to make sure that they have a problem from there side.

np - glad to help.

I initiate the VPN.

ICMP and TCP port 9816.