cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
558
Views
0
Helpful
1
Replies
Highlighted
Beginner

Port filtering over site to site VPN

Afternoon Ladies/Gents,

I have a cisco 1900 (running ios v 15) at my head office and asa 5505 (asa 825) at branch office, connected by a site to site VPN tunnel.

Now, at the head office I've forwarded ports 25, 1723 and such for the server which sits at 192.168.100.2 to the public IP address. Strangely the forwarded ports are being filtered at the remote peer end of the vpn tunnel at my branch office.

Please find my configuration enclosed, and I'd be highly oblidged if you can suggest a solution in order to unflier these ports at the remote VPN end.

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HQ

!

boot-start-marker

boot-end-marker

!

!

enable secret 4 0ovK7G1UmRlEKvWNHFLH1c

!

aaa new-model

!

!

aaa authentication login UDb local

!

!

!

!

!

aaa session-id common

!

clock timezone gmt 0 0

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

ip name-server 4.2.2.2

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-261xxxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-261xxxxx

revocation-check none

rsakeypair TP-self-signed-261xxxxxx

!

!

crypto pki certificate chain TP-self-signed-261xxxxxxx

certificate self-signed 01

  771AFB0E 543B164D 4B184919 A366E962 C4E96CBB 6545A51E 479F79CE 12BFDAB6

  81A29643 F13927FC B7CE864C 1652C387 10254957 899DC6B1 E76A5890 14DB6A70

  ABFA8433 2FA1CE44 A2C7B294 128F1D88 5AB00567 F5A127D0 BEFCAFF1 22A4337D

  32090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14CC1963 653AFD1F D5E08BFE 4FE11C14 2288BA43 2D301D06

  03551D0E 04160414 CC196365 3AFD1FD

        quit

!

!

username root privilege 15 secret 4 0xxxx

redundancy

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxx address 11.22.33.44

crypto isakmp key xxxxxx address 55.66.77.88

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 11.22.33.44

set peer 11.22.33.44

set transform-set ESP-3DES-SHA

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to55.66.77.88

set peer 55.66.77.88

set transform-set ESP-3DES-SHA1

match address 102

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 77.77.77.77 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/0/0

switchport access vlan 10

no ip address

!

interface FastEthernet0/0/1

no ip address

!

interface FastEthernet0/0/2

no ip address

!

interface FastEthernet0/0/3

no ip address

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 77.77.77.87 255.255.255.248

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

no ip http secure-server

!

ip dns server

ip nat inside source static tcp 192.168.100.2 1723 interface GigabitEthernet0/0 1723

ip nat inside source static tcp 192.168.100.2 443 interface GigabitEthernet0/0 443

ip nat inside source static tcp 192.168.100.2 995 interface GigabitEthernet0/0 995

ip nat inside source static tcp 192.168.100.2 389 interface GigabitEthernet0/0 389

ip nat inside source static tcp 192.168.100.2 25 interface GigabitEthernet0/0 25

ip nat inside source static tcp 192.168.100.2 143 interface GigabitEthernet0/0 143

ip nat inside source static tcp 192.168.100.2 3389 interface GigabitEthernet0/0 3389

ip nat inside source static tcp 192.168.100.2 80 interface GigabitEthernet0/0 80

ip nat inside source static tcp 192.168.100.137 3389 interface GigabitEthernet0/0 3390

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 77.77.77.76

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.168.100.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 192.168.100.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny   ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.220.0 0.0.0.255

!

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

!

!

!

control-plane

!

!

!

line con 0

login authentication UDb

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login authentication UDb

transport input ssh

line vty 5 15

login authentication UDb

transport input ssh

!

scheduler allocate 20000 1000

end

Everyone's tags (5)
1 REPLY 1
Beginner

Port filtering over site to site VPN

Any replies will be much appritiated.