10-21-2007 02:35 AM
Dear All,
Now i have the problem on VPN site to site.
i want to specific on port but i don't know command specific on port, one more i don't know VPN connection support when i use specific on port or not?
This command that i can used VPN (mean it working):
access-list outside extended permit icmp any any
access-list 170 extended permit ip 192.2.2.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list VPN extended permit ip 192.2.2.0 255.255.255.0 192.1.1.0 255.255.255.0
this command allow all port so i don't want.Could you tell me other command for specific on port only?
Best Regards,
Rechard
10-22-2007 04:34 PM
If I understand the question correctly ( and I'm not 100% certain that I do )
To permit inbound VPN traffic without opening all ports create an access list that allows isakmp and esp traffic from the remote host inbound.
permit udp host <
permit esp host <
Hope this helps
Steve
10-22-2007 10:40 PM
Dear Steve and All,
I'm glad to here from you.
i tried to test command that you gave me but it still the problem.
Please see the attach file that i want.
could you give me for detail access-list for use port in attach file when i use VPN connection(Site to Site)?
Please help me!!!!
Best Regards,
Rechard
10-22-2007 11:20 PM
Hi Rechard can you post the full config for the ASA5510.
I'll then be able to see where the access-list is being placed, whether nat is involved etc.
Steve
10-23-2007 05:07 PM
10-23-2007 05:46 PM
From the HQ end interesting traffic has SOURCE Ports of 1302, 2161, 1606, 3001.
From the Client End Interesting Traffic has DESTINATION Ports of 1302, 2161, 1606, 3001.
Where you specify the ports in the access list is different for source ports or destination ports.
so to define the interesting traffic on the HQ ASA use
access-list 103 extended permit tcp host 192.1.1.5 eq 1302 host 192.2.2.5
access-list 103 extended permit tcp host 192.1.1.5 eq 2161 host 192.2.2.5
access-list 103 extended permit tcp host 192.1.1.5 eq 1606 host 192.2.2.5
access-list 103 extended permit tcp host 192.1.1.5 eq 3001 host 192.2.2.5
access-list 103 extended permit icmp any any
On the Client Side the the destination ports are 1302, 2161, 1606, 3001 so this looks correct
access-list 104 extended permit tcp host 192.2.2.5 host 192.1.1.5 eq 1302
access-list 104 extended permit tcp host 192.2.2.5 host 192.1.1.5 eq 2161
access-list 104 extended permit tcp host 192.2.2.5 host 192.1.1.5 eq 1606
access-list 104 extended permit tcp host 192.2.2.5 host 192.1.1.5 eq 3001
access-list 104 extended permit icmp any any
Hope this helps
Regards
Steve
10-23-2007 07:51 PM
Dear Steve,
I tried to put this command from you but it don't work.it can ping HQ to Branch and Branch can ping to HQ.but i tried to use VNC for remote but it don't work,I don't why?
Could you help me?
Kindly find attachment file.
Best Regards,
Rechard
10-23-2007 08:16 PM
I think the Access Lists are correct although I'm not sure of the specific ports as they are not familier to me. I think VNC sometimes uses tcp 5900.
I think that your issue now may be because you have the following commands assigned.
access-group 104 in interface outside
access-group 103 in interface outside
The access lists are correct for determining the interesting traffic however because this traffic is encrypted the outside interfaces recieve esp and isakmp traffic not tcp traffic.
If you remove the 2 commands above I think we'll be closer.
10-23-2007 08:37 PM
Dear Steve,
After i take out access-group on ASA, i can't ping HQ to Branch and Branch to HQ.but VPN connection is ok. On port VNC it has to 5800 and 5900, now i use 5800.
Best Regards,
Rechard
10-23-2007 08:48 PM
create a separate access list and attach to the outside interface on each router.
access-list 105 extended permit icmp any any
access-list 105 extended permit esp any any
access-list 105 extended permit udp any any eq 500
access-group 105 in interface outside
10-23-2007 09:10 PM
Dear Steven,
You mean that access-list 105 above need to put in the other router, right?
In my diagram like this
Client->ASA---(straight cable)--ASA->Client
Note:
for testing not yet connect to ISP .
Best Regards,
Rechard
10-23-2007 09:31 PM
You can run this on both ASA without alteration.
----------------------------
access-list 105 extended permit icmp any any
access-list 105 extended permit esp any any
access-list 105 extended permit udp any any eq 500
access-group 105 in interface outside
---------------------------------------
The access lists 103 and 104 define what traffic gets encrypted.
access list 105 says only allow vpn and icmp traffic inbound.
nearly there. ;o)
Steve
10-24-2007 01:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide