We have Cisco ASA 5520 ver 9.1 and we created a L2L Vpn tunnel with another company. We ran into a problem while printing via AS400 and we new it was a port that was being blocked. The reason we new it was a port, is that when we allowed everything through the tunnel it would print. When we used the vpn filter option to block ports, the AS400 could not print anymore. I trie captures and that did not work. Tried wireshark and it did not work. We finally talked with an AS400 person who said to try port 9100 which worked. We are using the vpn filter option on the tunnel to block the ports. How can we check ports that are being blocked going through the tunnel?
VPN filter is an optional way of restricting traffic across VPN tunnel although this is not a mandate for negotiating a tunnel. If you wish to see the ports being blocked and permitted , you can check the access-list being applied as VPN filter parameter.
On ASA:- group-policy filter attributes vpn-filter value <access-list number>
On Router: crypto map cryptomap 1 ipsec-isakmp set ip access-group VPNFILTER in
The contents of access-list would show you what ports are allowed and restricted across a VPN tunnel.
We did do the vpn-filter value is what we have. on the ASA. but my question is when we were allowing everything in we could have seen 9100 being hit (although we did not know it at the time of troubleshooting). What command would have shown this port? show access-list ACCESSLISTNAME log? The capture capin insde and outside and wireshark was not catching this port 9100, because I am assuming that it was encrypted maybe? Just wondering what commands would have helped us for future reference. Thanks.
If you are taking captures on the outside interface , then yes the packets would be encrypted and you won't be able to grab the captures. Captures on the inside interface should show you the IPs and ports that are seen coming into the ASA. Consider you have a VPN filter applied as this access-list: access-list test extended deny udp host 184.108.40.206 host 192.168.22.22 eq www Then you will be able to see that http request is blocked but other ports are opened.
In essence, unless you manually deny any specific port, all the ports would be allowed. HTH.
when I was doing my capture capin inside host 192.168.0.89 host 172.16.13.45, I probably should have reversed them to capture the port 9100. basically we were just capturing the port 23 telnet to the AS400.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...