Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Opening Ports over a VPN Tunnel

Status
Not open for further replies.
usfregale

usfregale

Technical User
May 1, 2009
33
US
I have always assumed (incorrectly I have recently learned) that a VPN provided completely open communication between multiple networks. The issue we're having is that a number of ports that we need open appear to be blocked over our VPN tunnels. This is demonstrated by the following port scans of the 10.105.0.33 device, the first is from a PC on the local network and the second is from a PC on the other side of the VPN tunnel.

Port scan over VPN tunnel:

Starting Nmap 5.00 ( ) at 2009-10-24 00:10 Eastern Daylight Time

NSE: Loaded 30 scripts for scanning.

Initiating Ping Scan at 00:10

Scanning 10.105.0.33 [8 ports]

Completed Ping Scan at 00:10, 0.09s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 00:10

Completed Parallel DNS resolution of 1 host. at 00:10, 0.05s elapsed

Initiating SYN Stealth Scan at 00:10

Scanning 10.105.0.33 [65535 ports]

Discovered open port 80/tcp on 10.105.0.33

Discovered open port 1720/tcp on 10.105.0.33

Discovered open port 50801/tcp on 10.105.0.33

Discovered open port 50794/tcp on 10.105.0.33

Completed SYN Stealth Scan at 00:11, 22.61s elapsed (65535 total ports)

Port scan from local PC:

Starting Nmap 5.00 ( ) at 2009-10-24 00:21 Eastern Daylight Time
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 00:21
Scanning 10.105.0.33 [1 port]
Completed ARP Ping Scan at 00:21, 0.31s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:21
Completed Parallel DNS resolution of 1 host. at 00:21, 0.11s elapsed
Initiating SYN Stealth Scan at 00:21
Scanning 10.105.0.33 [65535 ports]
Discovered open port 1720/tcp on 10.105.0.33
Discovered open port 80/tcp on 10.105.0.33
Discovered open port 50794/tcp on 10.105.0.33
Discovered open port 50814/tcp on 10.105.0.33
Discovered open port 50808/tcp on 10.105.0.33
Discovered open port 50802/tcp on 10.105.0.33
Discovered open port 4100/tcp on 10.105.0.33
Discovered open port 50801/tcp on 10.105.0.33
Discovered open port 50812/tcp on 10.105.0.33
Discovered open port 50804/tcp on 10.105.0.33
Discovered open port 50797/tcp on 10.105.0.33
Completed SYN Stealth Scan at 00:22, 33.80s elapsed (65535 total ports)


As you can see there are considerably more ports open on the local scan than on the scan through the VPN tunnel. I need to (at a minimum) be able to open a number of specific ports over this tunnel; however, I would prefer to simply open all ports over the VPN since the traffic is encrypted anyway. Configs for both of the ASAs are provided below. The 10.20 site is an ASA 5510 and serves as the hub for our VPN network. The 10.105 site is an ASA 5505. Any help is greatly appreciated.

Thanks!

Richard

Config for remote site, ASA 5505, 10.105:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(3)
!
hostname JH18363
domain-name default.domain.invalid
enable password XXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.105.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service SCN tcp
description Avaya Small Community Networking
port-object range 50795 50795
access-list vpn_to_jhschq extended permit ip 10.105.0.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list vpn_to_jhschq extended permit ip 10.105.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jhschq extended permit ip 10.105.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list x extended permit ip host 10.105.0.33 host 10.20.0.33
access-list x extended permit ip host 10.105.0.33 host 10.20.0.32
access-list x extended permit ip host 10.20.0.33 host 10.105.0.33
access-list x extended permit ip host 10.20.0.32 host 10.105.0.33
access-list nonat extended permit ip 10.105.0.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list nonat extended permit ip 10.105.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.105.0.0 255.255.255.0 10.123.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging trap debugging
logging asdm informational
logging host inside 10.105.0.152
logging debug-trace
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 66.83.231.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.105.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto dynamic-map ouside_map 5 set reverse-route
crypto map outside_map 10 match address vpn_to_jhschq
crypto map outside_map 10 set peer X.X.X.X
crypto map outside_map 10 set transform-set ESP-AES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.105.0.152 255.255.255.255 inside
telnet 10.105.0.153 255.255.255.255 inside
telnet timeout 5
ssh 10.105.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2 4.2.2.1
dhcpd domain PCDEEOF18363
dhcpd auto_config outside
dhcpd option 176 ascii "TFTPSRVR=10.20.0.33,MCIPADD=10.105.0.33,MCPORT=1719"
!
dhcpd address 10.105.0.150-10.105.0.181 inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:624ffe18af18be8d0ae7b02f10c787b3
: end


Config for local site, ASA 5510, 10.20:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname JHSCHQ
domain-name default.domain.invalid
enable password XXXXX encrypted
passwd XXXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service H323 tcp
port-object eq h323
object-group service SCN tcp
description Avaya Small Community Networking
port-object range 50795 50795
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.102.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.103.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.104.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.107.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.111.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.108.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.113.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.114.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.115.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.116.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.117.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.118.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.119.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.120.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.121.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.122.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.124.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.125.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.126.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.127.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.128.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.129.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.106.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.130.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.132.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.133.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.150.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.151.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.152.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.154.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.155.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.156.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.157.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.158.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.160.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.161.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.170.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.171.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.172.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.180.0.0 255.255.255.0
access-list nonat extended permit ip 10.123.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list nonat extended permit ip 10.101.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list nonat extended permit ip 10.20.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list nonat extended permit ip 10.150.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonat extended permit ip 10.131.0.0 255.255.255.0 10.150.0.0 255.255.255.0
access-list vpn_to_jh70333 extended permit ip 10.20.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list 101_to_123 extended permit ip 10.101.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list 101_to_123 extended permit ip 10.123.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jh13765 extended permit ip 10.20.0.0 255.255.255.0 10.101.0.0 255.255.255.0
access-list vpn_to_jh51829 extended permit ip 10.20.0.0 255.255.255.0 10.102.0.0 255.255.255.0
access-list vpn_to_jh18114 extended permit ip 10.20.0.0 255.255.255.0 10.103.0.0 255.255.255.0
access-list vpn_to_jh71216 extended permit ip 10.20.0.0 255.255.255.0 10.104.0.0 255.255.255.0
access-list vpn_to_jh18363 extended permit ip 10.20.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list vpn_to_jh18363 extended permit ip 10.20.0.0 255.255.255.0 10.130.0.0 255.255.255.0
access-list vpn_to_jh50642 extended permit ip 10.20.0.0 255.255.255.0 10.107.0.0 255.255.255.0
access-list vpn_to_jh18364 extended permit ip 10.20.0.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list vpn_to_jh18364 extended permit ip 10.20.0.0 255.255.255.0 10.132.0.0 255.255.255.0
access-list vpn_to_jh15533 extended permit ip 10.20.0.0 255.255.255.0 10.111.0.0 255.255.255.0
access-list vpn_to_jh15533 extended permit ip 10.20.0.0 255.255.255.0 10.151.0.0 255.255.255.0
access-list vpn_to_hg51135 extended permit ip 10.20.0.0 255.255.255.0 10.108.0.0 255.255.255.0
access-list vpn_to_jh70244 extended permit ip 10.20.0.0 255.255.255.0 10.112.0.0 255.255.255.0
access-list vpn_to_jh50630 extended permit ip 10.20.0.0 255.255.255.0 10.113.0.0 255.255.255.0
access-list vpn_to_jh24317 extended permit ip 10.20.0.0 255.255.255.0 10.114.0.0 255.255.255.0
access-list vpn_to_jh17483 extended permit ip 10.20.0.0 255.255.255.0 10.115.0.0 255.255.255.0
access-list vpn_to_jh70758 extended permit ip 10.20.0.0 255.255.255.0 10.116.0.0 255.255.255.0
access-list vpn_to_jh17110 extended permit ip 10.20.0.0 255.255.255.0 10.117.0.0 255.255.255.0
access-list vpn_to_jh17111 extended permit ip 10.20.0.0 255.255.255.0 10.118.0.0 255.255.255.0
access-list vpn_to_jh17449 extended permit ip 10.20.0.0 255.255.255.0 10.119.0.0 255.255.255.0
access-list vpn_to_jh18480 extended permit ip 10.20.0.0 255.255.255.0 10.120.0.0 255.255.255.0
access-list vpn_to_jh11074 extended permit ip 10.20.0.0 255.255.255.0 10.121.0.0 255.255.255.0
access-list vpn_to_jh18113 extended permit ip 10.20.0.0 255.255.255.0 10.122.0.0 255.255.255.0
access-list vpn_to_JH_Home extended permit ip 10.20.0.0 255.255.255.0 10.123.0.0 255.255.255.0
access-list vpn_to_jh50627 extended permit ip 10.20.0.0 255.255.255.0 10.124.0.0 255.255.255.0
access-list vpn_to_jh51030 extended permit ip 10.20.0.0 255.255.255.0 10.125.0.0 255.255.255.0
access-list vpn_to_jh70975 extended permit ip 10.20.0.0 255.255.255.0 10.126.0.0 255.255.255.0
access-list vpn_to_jh71104 extended permit ip 10.20.0.0 255.255.255.0 10.127.0.0 255.255.255.0
access-list vpn_to_jh71104 extended permit ip 10.20.0.0 255.255.255.0 10.106.0.0 255.255.255.0
access-list vpn_to_jh71213 extended permit ip 10.20.0.0 255.255.255.0 10.128.0.0 255.255.255.0
access-list vpn_to_jhpdcw extended permit ip 10.20.0.0 255.255.255.0 10.129.0.0 255.255.255.0
access-list vpn_to_jh extended permit ip 10.20.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list vpn_to_jhrouter3 extended permit ip 10.20.0.0 255.255.255.0 10.132.0.0 255.255.255.0
access-list vpn_to_jhdillon extended permit ip 10.20.0.0 255.255.255.0 10.133.0.0 255.255.255.0
access-list vpn_to_jh50627a extended permit ip 10.20.0.0 255.255.255.0 10.150.0.0 255.255.255.0
access-list vpn_to_jh27351a extended permit ip 10.20.0.0 255.255.255.0 10.151.0.0 255.255.255.0
access-list vpn_to_jh51030a extended permit ip 10.20.0.0 255.255.255.0 10.152.0.0 255.255.255.0
access-list vpn_to_jh70333a extended permit ip 10.20.0.0 255.255.255.0 10.154.0.0 255.255.255.0
access-list vpn_to_jh70758a extended permit ip 10.20.0.0 255.255.255.0 10.155.0.0 255.255.255.0
access-list vpn_to_jh51135a extended permit ip 10.20.0.0 255.255.255.0 10.156.0.0 255.255.255.0
access-list vpn_to_jh71104a extended permit ip 10.20.0.0 255.255.255.0 10.157.0.0 255.255.255.0
access-list vpn_to_jh19002 extended permit ip 10.20.0.0 255.255.255.0 10.160.0.0 255.255.255.0
access-list vpn_to_jh13483 extended permit ip 10.20.0.0 255.255.255.0 10.170.0.0 255.255.255.0
access-list vpn_to_jh19109 extended permit ip 10.20.0.0 255.255.255.0 10.171.0.0 255.255.255.0
access-list vpn_to_JH18640 extended permit ip 10.20.0.0 255.255.255.0 10.172.0.0 255.255.255.0
access-list vpn_to_jh70952 extended permit ip 10.20.0.0 255.255.255.0 10.180.0.0 255.255.255.0
access-list nonatout extended permit ip 10.105.0.0 255.255.0.0 10.101.0.0 255.255.0.0
access-list nonatout extended permit ip 10.150.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonatout extended permit ip 10.131.0.0 255.255.255.0 10.150.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging emblem
logging list all level debugging
logging buffer-size 1024000
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm informational
logging facility 16
logging host inside 10.20.0.104 format emblem
logging debug-trace
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list nonatout
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 12:00:00 half-closed 12:00:00 udp 12:00:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 12:00:00 h225 12:00:00 mgcp 12:00:00 mgcp-pat 12:00:00
timeout sip 0:30:00 sip_media 0:10:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 3:00:00 absolute uauth 3:00:00 inactivity
aaa authentication ssh console LOCAL
http server enable
http 10.20.0.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.123.0.158 community public
snmp-server location Processing
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 5 set transform-set ESP-AES-MD5
crypto map outside_map 65500 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 24.25.5.60 24.25.5.61
dhcpd option 176 ascii "TFTPSRVR=10.20.0.33,MCIPADD=10.20.0.32,MCPORT=1719"
!
dhcpd address 10.20.0.100-10.20.0.205 inside
dhcpd enable inside
!
priority-queue outside
queue-limit 1024
tftp-server inside 10.20.0.33 C:\asa\
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username cisco password XXXXX encrypted privilege 15
username blynch password XXXXX encrypted privilege 0
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
!
class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class Voice
priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e2191357171815c27bbed4cab31e8f9b
: end
 
Sort by date Sort by votes
If you don't restrict it, all tcp ports and ip traffic are permitted by default. Try not using a stealth scan and try to telnet to each port you want to confirm it's open.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
668
Sameer258
Sameer258
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
205
gkittelson
gkittelson
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
583
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
719
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
159
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top