Solved

IP SCAN Through ASA VPN

Posted on 2010-08-24
6
728 Views
Last Modified: 2012-05-10
Hello, I have a group of techs that need to scan subnets and get dns addresses from ranges at remote sites. They asa vpn group can obtain machine names in the colo; however, the remote sites use a different dns server. I have added 53 and 161 access to all of these networks; however, with the vpn filter the guys cannot get machine names. They can without the filter. Any idea what could be going on? I called cisco tac, but the person wasn't getting anywhere.
0
Comment
Question by:dcawood
6 Comments
 
LVL 16

Expert Comment

by:btassure
ID: 33520049
Can you show us a network diagram including the servers please?

Also any bits of the config you have such as the VPN groups and access lists (sanitised) please.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33520890
The machine(s) from which these scans originate will try to resolve names via its own dns configuration. If the remote devices are not registering with this Dns, those lookups will fail. But most scanners will then try netbios name lookup, udp 137. If you allow that, you should be able to get their windows names.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 33521527
In your DNS server you may need to setup a forwarder zone for the colo's IP subnet pointing to the dns server that holds their PTR records.

Right now without the filter you may be doing netbios name lookup as Boilermaker85 has suggested.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:dcawood
ID: 33522379
The VPN connection has the same DNS Server as I do on the inside. I have allowed udp/137 udp/161 and udp 53 to the networks being scanned and the dns server.

When I do a scan from the inside, and get the machine names, I see on the logg monitor that it is resolving via 137 to the machine ip. Weird thing is, 137 is allowed and I dont see anything blocked in the logs.
0
 

Author Comment

by:dcawood
ID: 33522909
The traffic is being built through the vpn asa and the core asa to the vdmz where the machines are?
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33523083
Hard to tell from your last comment, since we dont have a picture of the network and which ASA config we need to look at.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question