Solved

IP SCAN Through ASA VPN

Posted on 2010-08-24
6
730 Views
Last Modified: 2012-05-10
Hello, I have a group of techs that need to scan subnets and get dns addresses from ranges at remote sites. They asa vpn group can obtain machine names in the colo; however, the remote sites use a different dns server. I have added 53 and 161 access to all of these networks; however, with the vpn filter the guys cannot get machine names. They can without the filter. Any idea what could be going on? I called cisco tac, but the person wasn't getting anywhere.
0
Comment
Question by:dcawood
6 Comments
 
LVL 16

Expert Comment

by:btassure
ID: 33520049
Can you show us a network diagram including the servers please?

Also any bits of the config you have such as the VPN groups and access lists (sanitised) please.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33520890
The machine(s) from which these scans originate will try to resolve names via its own dns configuration. If the remote devices are not registering with this Dns, those lookups will fail. But most scanners will then try netbios name lookup, udp 137. If you allow that, you should be able to get their windows names.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 33521527
In your DNS server you may need to setup a forwarder zone for the colo's IP subnet pointing to the dns server that holds their PTR records.

Right now without the filter you may be doing netbios name lookup as Boilermaker85 has suggested.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:dcawood
ID: 33522379
The VPN connection has the same DNS Server as I do on the inside. I have allowed udp/137 udp/161 and udp 53 to the networks being scanned and the dns server.

When I do a scan from the inside, and get the machine names, I see on the logg monitor that it is resolving via 137 to the machine ip. Weird thing is, 137 is allowed and I dont see anything blocked in the logs.
0
 

Author Comment

by:dcawood
ID: 33522909
The traffic is being built through the vpn asa and the core asa to the vdmz where the machines are?
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33523083
Hard to tell from your last comment, since we dont have a picture of the network and which ASA config we need to look at.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 60
port redirection on cisco asa 5520 5 16
vpn to Azure 2 16
Cisco Wireless Access Controller 3 11
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question