Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1133
Views
0
Helpful
5
Replies

VPN Tunnel L2L Port question

wilsonbolanos
Level 1
Level 1

‎09-12-2014 03:04 PM

We have Cisco ASA 5520 ver 9.1 and we created a L2L Vpn tunnel with another company.  We ran into a problem while printing via AS400 and we new it was a port that was being blocked.  The reason we new it was a port, is that when we allowed everything through the tunnel it would print.  When we used the vpn filter option to block ports, the AS400 could not print anymore. I trie captures and that did not work.  Tried wireshark and it did not work.  We finally talked with an AS400 person who said to try port 9100 which worked.  We are using the vpn filter option on the tunnel to block the ports.  How can we check ports that are being blocked going through the tunnel?

Labels:
0 Helpful
5 Replies 5

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎09-12-2014 03:56 PM

Hi Wilson,

VPN filter is an optional way of restricting traffic across VPN tunnel although this is not a mandate for negotiating a tunnel.
If you wish to see the ports being blocked and permitted , you can check the access-list being applied as VPN filter parameter.

On ASA:-
group-policy filter attributes
vpn-filter value <access-list number>

On Router:
crypto map cryptomap 1 ipsec-isakmp
set ip access-group VPNFILTER in

The contents of access-list would show you what ports are allowed and restricted across a VPN tunnel.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

wilsonbolanos
Level 1
Level 1
In response to Dinesh Moudgil

‎09-12-2014 06:47 PM

We did do the vpn-filter value is what we have.  on the ASA.  but my question is when we were allowing everything in we could have seen 9100 being hit (although we did not know it at the time of troubleshooting).  What command would have shown this port?  show access-list ACCESSLISTNAME log?  The capture capin insde and outside and wireshark was not catching this port 9100, because I am assuming that it was encrypted maybe?  Just wondering what commands would have helped us for future reference.  Thanks.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to wilsonbolanos

‎09-12-2014 06:57 PM

If you are taking captures on the outside interface , then yes the packets would be encrypted and you won't be able to grab the captures. Captures on the inside interface should show you the IPs and ports that are seen coming into the ASA.
Consider you have a VPN filter applied as this access-list:
access-list test extended deny udp host 2.2.2.2 host 192.168.22.22 eq www
Then you will be able to see that http request is blocked but other ports are opened.

In essence, unless you manually deny any specific port, all the ports would be allowed.
HTH.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

wilsonbolanos
Level 1
Level 1
In response to Dinesh Moudgil

‎09-12-2014 08:09 PM

 

192.168.0.89 us

172.16.13.45 them

 

when I was doing my capture capin inside host 192.168.0.89 host 172.16.13.45, I probably should have reversed them to capture the port 9100.  basically we were just capturing the port 23 telnet to the AS400.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to wilsonbolanos

‎09-12-2014 11:22 PM

FYI ASA captures are bidirectional so you should get all the information from a single capture as well.

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents