04-30-2010 08:59 PM
I want to allow the following ports from this server 72.30.210.5 to this server 192.168.100.10. I want to be able to run replication from server 72.30.210.5 to server 192.168.100.10 when I login to VPN client. My group is tech support. Is this how you would add the following statements? Attached is the config file for your information. Please let me know if you need additional information.
access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 eq domain
access-list acl_in extended permit udp host 72.30.210.5 host 192.168.100.10 eq domain
access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 eq ldap
access-list acl_in extended permit udp host 72.30.210.5 host 192.168.100.10 eq 389
access-list acl_in extended permit tcp host 72.30.210.5 host 192.168.100.10 range 1024 65535
Thanks.
Laura
Solved! Go to Solution.
04-30-2010 09:52 PM
You can perform the replication from 72.30.210.5 towards the public ip address of 192.168.100.10 which is 66.102.7.89.
And on the access-list, you would need to permit the traffic towards the public ip address (66.102.7.89) instead of the private ip as the private ip is not accessible from the internet, as follows:
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range 1024 65535
Are you sure that you need to open all TCP ports from the outside (on the last line of your ACL)?
I am not too sure what you mean by performing replication when you VPN in because your VPN client will be assigned 192.168.101.x ip address, and I assume that 72.30.210.5 is a server on the internet?
05-02-2010 06:12 PM
If you are running Domain Controller replication, best would be to create site-to-site VPN tunnel between your remote site and corporate office. You do not want to run clear text DC replication through the internet as it could be intercepted by hacker.
Here is a sample configuration on site-to-site VPN tunnel for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
If you decide to configure site-to-site VPN tunnel, you would also need to configure the corresponding corporate office to terminate the VPN tunnel. Are you also running ASA firewall at your corporate office?
05-02-2010 07:57 PM
Laura,
You can definitely establish the L2L tunnel between an ASA and a Concentrator.
It does not really matter that they are different appliances, because they understand IPsec (which is a standard), so there's no problems in doing all combinations with Cisco devices like IOS routers, Firewalls, Concentrators or other vendors.
As well, you can establish the Cisco VPN client to connect to any of the Cisco VPN endpoints.
Hope it helps.
Federico.
04-30-2010 09:52 PM
You can perform the replication from 72.30.210.5 towards the public ip address of 192.168.100.10 which is 66.102.7.89.
And on the access-list, you would need to permit the traffic towards the public ip address (66.102.7.89) instead of the private ip as the private ip is not accessible from the internet, as follows:
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range 1024 65535
Are you sure that you need to open all TCP ports from the outside (on the last line of your ACL)?
I am not too sure what you mean by performing replication when you VPN in because your VPN client will be assigned 192.168.101.x ip address, and I assume that 72.30.210.5 is a server on the internet?
05-02-2010 05:54 PM
Halijenn,
Thanks for your prompt response and information. I will make a change on the ACL.
On my last ACL line "access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range 1024 65535", I am not sure which ports to open. So, I open all ports for now.
The server 72.30.210.5 is at the corporate office. This server is a Domain Controller. We want to be able to replicate Active Directory from the server 72.30.210.5 (main office) to the remote Domain Controller (66.102.7.89 ) at the remote office.
Please let me know if I still have not answered your questions or have any other questions. Would you change the ACLs?
Thanks very much.
Laura
05-02-2010 06:12 PM
If you are running Domain Controller replication, best would be to create site-to-site VPN tunnel between your remote site and corporate office. You do not want to run clear text DC replication through the internet as it could be intercepted by hacker.
Here is a sample configuration on site-to-site VPN tunnel for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
If you decide to configure site-to-site VPN tunnel, you would also need to configure the corresponding corporate office to terminate the VPN tunnel. Are you also running ASA firewall at your corporate office?
05-02-2010 07:47 PM
Halijenn,
Thanks for your prompt response and information. We have VPN 3000 Concentrator at the Corporate Office and ASA 5510 at the Remote Office. Would it be still possible to setup Site-to-Site VPN because of the different type of appliances? If not, would I still be able to run the replication using VPN client to the ASA 5510 with the above ACL's?
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq domain
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 eq ldap
access-list acl_in extended permit udp host 72.30.210.5 host 66.102.7.89 eq 389
access-list acl_in extended permit tcp host 72.30.210.5 host 66.102.7.89 range 1024 65535
Thank you very much.
Laura
05-02-2010 07:57 PM
Laura,
You can definitely establish the L2L tunnel between an ASA and a Concentrator.
It does not really matter that they are different appliances, because they understand IPsec (which is a standard), so there's no problems in doing all combinations with Cisco devices like IOS routers, Firewalls, Concentrators or other vendors.
As well, you can establish the Cisco VPN client to connect to any of the Cisco VPN endpoints.
Hope it helps.
Federico.
05-03-2010 01:27 PM
Thanks for your prompt response and information. I have another question. I am unable to ping to the outside server IP address 72.30.210.5 from the internal server 66.102.7.89. I got the error message "Request timed out" when I ping to 72.30.210.5. However, I am able to ping www.google.com, www.yahoo.com. Could it be that ping is turned off at the firewall where server 72.30.210.5 is located? Is there a way to troubleshoot why I am not able to ping to 72.30.210.5? Thanks.
05-03-2010 02:53 PM
Please ignore my question. I found out that the firewall blocked ICMP. Thanks.
05-03-2010 02:56 PM
You are absolutely correct. You can only ping the directly connected interface of the firewall, ie: from the inside network, you can only ping the inside interface of the firewall, and from the outside/internet, you can only ping the outside interface of the firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide