Cisco Support Community
Community Member

VPN Tunnel L2L Port question

We have Cisco ASA 5520 ver 9.1 and we created a L2L Vpn tunnel with another company.  We ran into a problem while printing via AS400 and we new it was a port that was being blocked.  The reason we new it was a port, is that when we allowed everything through the tunnel it would print.  When we used the vpn filter option to block ports, the AS400 could not print anymore. I trie captures and that did not work.  Tried wireshark and it did not work.  We finally talked with an AS400 person who said to try port 9100 which worked.  We are using the vpn filter option on the tunnel to block the ports.  How can we check ports that are being blocked going through the tunnel?

Cisco Employee

Hi Wilson,VPN filter is an

Hi Wilson,

VPN filter is an optional way of restricting traffic across VPN tunnel although this is not a mandate for negotiating a tunnel.
If you wish to see the ports being blocked and permitted , you can check the access-list being applied as VPN filter parameter.

On ASA:-
group-policy filter attributes
vpn-filter value <access-list number>

On Router:
crypto map cryptomap 1 ipsec-isakmp
set ip access-group VPNFILTER in

The contents of access-list would show you what ports are allowed and restricted across a VPN tunnel.

Dinesh Moudgil

P.S. Please rate helpful posts.

Community Member

We did do the vpn-filter

We did do the vpn-filter value is what we have.  on the ASA.  but my question is when we were allowing everything in we could have seen 9100 being hit (although we did not know it at the time of troubleshooting).  What command would have shown this port?  show access-list ACCESSLISTNAME log?  The capture capin insde and outside and wireshark was not catching this port 9100, because I am assuming that it was encrypted maybe?  Just wondering what commands would have helped us for future reference.  Thanks.

Cisco Employee

If you are taking captures on

If you are taking captures on the outside interface , then yes the packets would be encrypted and you won't be able to grab the captures. Captures on the inside interface should show you the IPs and ports that are seen coming into the ASA.
Consider you have a VPN filter applied as this access-list:
access-list test extended deny udp host host eq www
Then you will be able to see that http request is blocked but other ports are opened.

In essence, unless you manually deny any specific port, all the ports would be allowed.

Dinesh Moudgil

P.S. Please rate helpful posts.

Community Member us172.16.13.45 us them


when I was doing my capture capin inside host host, I probably should have reversed them to capture the port 9100.  basically we were just capturing the port 23 telnet to the AS400.

Cisco Employee

FYI ASA captures are

FYI ASA captures are bidirectional so you should get all the information from a single capture as well.

Dinesh Moudgil

CreatePlease to create content