Solved

IP SCAN Through ASA VPN

Posted on 2010-08-24
6
731 Views
Last Modified: 2012-05-10
Hello, I have a group of techs that need to scan subnets and get dns addresses from ranges at remote sites. They asa vpn group can obtain machine names in the colo; however, the remote sites use a different dns server. I have added 53 and 161 access to all of these networks; however, with the vpn filter the guys cannot get machine names. They can without the filter. Any idea what could be going on? I called cisco tac, but the person wasn't getting anywhere.
0
Comment
Question by:dcawood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 16

Expert Comment

by:btassure
ID: 33520049
Can you show us a network diagram including the servers please?

Also any bits of the config you have such as the VPN groups and access lists (sanitised) please.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33520890
The machine(s) from which these scans originate will try to resolve names via its own dns configuration. If the remote devices are not registering with this Dns, those lookups will fail. But most scanners will then try netbios name lookup, udp 137. If you allow that, you should be able to get their windows names.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 33521527
In your DNS server you may need to setup a forwarder zone for the colo's IP subnet pointing to the dns server that holds their PTR records.

Right now without the filter you may be doing netbios name lookup as Boilermaker85 has suggested.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:dcawood
ID: 33522379
The VPN connection has the same DNS Server as I do on the inside. I have allowed udp/137 udp/161 and udp 53 to the networks being scanned and the dns server.

When I do a scan from the inside, and get the machine names, I see on the logg monitor that it is resolving via 137 to the machine ip. Weird thing is, 137 is allowed and I dont see anything blocked in the logs.
0
 

Author Comment

by:dcawood
ID: 33522909
The traffic is being built through the vpn asa and the core asa to the vdmz where the machines are?
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33523083
Hard to tell from your last comment, since we dont have a picture of the network and which ASA config we need to look at.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question