• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3662
  • Last Modified:

Port forward over VPN tunnel

I have a site to site VPN connection configured from our PIX 506 (6.3.5) to one of our vendor's VPN concentrators.  This VPN was set up for an application. I have been told that the vendor needs specified ports forwarded to our server, LAN IP 192.168.1.1 over the VPN tunnel. How do I do this? Do I just enter a command similar to this:
 static (inside,outside) tcp interface 11660 192.168.1.1 11660 netmask 255.255.255.255 0 0
or do I need to do something special since it is over a VPN tunnel. I'm a bit confused about this and any help would be appreciated. I have to perform this work remotely so I want to make sure I don't lock myself out of the PIX. I can only access the PDM remotely...Let me know if I need to provide more info. Thanks.
0
FIFBA
Asked:
FIFBA
  • 3
  • 3
1 Solution
 
Rob WilliamsCommented:
As a rule ports are "forwarded" to allow specific traffic to pass through a firewall/router (usually a NAT device - Network Address Translation) to a specific device, such as a web server or remote desktop connection. With a VPN all ports are open and all traffic free to flow between two sites, by default. Assuming no access restrictions have been put in place your servers should be readily available. Are they aware you have a VPN in place, or might they think this is a connection over the public Internet which would require port forwarding rules to access. Or, are they connecting from another location than one end or the other of the VPN tunnel?
0
 
FIFBAAuthor Commented:
I'm a little confused about what the vendor thinks to be honest. They are well aware that the VPN is in place (they were part of the testing). They are telling me that their application is not able to reach its destination on the specified ports...but they can ping. I'm starting to think that I should have created a VPN connection that allowed traffic ONLY to the server. Does this sound right?
0
 
Rob WilliamsCommented:
It would depend on what you are trying to achieve. Most often you would create site to site VPN, allowing connections to all devices, but it is not mandatory. Regardless site to site would not block any ports on the server.

Is there any chance there is a software firewall, such as the Windows firewall, enabled on the server to which they are trying to connect. That could block their traffic.
0
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

 
FIFBAAuthor Commented:
Windows firewall is not on but I have just discovered I cannot telnet to the required port on the server over the VPN. Do you have any ideas on how to determine what could be the problem? Thanks for the help so far...
0
 
FIFBAAuthor Commented:
I'm starting to think the vendor did not set up application properly and that the application is not using the specified ports...I can telnet all well known services over VPN. Thanks again for the help...
0
 
Rob WilliamsCommented:
Sounds good. May be an error on their part as you say.
Thanks FIFBA.
Cheers !
--Rob
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now