[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 745
  • Last Modified:

IP SCAN Through ASA VPN

Hello, I have a group of techs that need to scan subnets and get dns addresses from ranges at remote sites. They asa vpn group can obtain machine names in the colo; however, the remote sites use a different dns server. I have added 53 and 161 access to all of these networks; however, with the vpn filter the guys cannot get machine names. They can without the filter. Any idea what could be going on? I called cisco tac, but the person wasn't getting anywhere.
0
dcawood
Asked:
dcawood
1 Solution
 
btassureCommented:
Can you show us a network diagram including the servers please?

Also any bits of the config you have such as the VPN groups and access lists (sanitised) please.
0
 
Boilermaker85Commented:
The machine(s) from which these scans originate will try to resolve names via its own dns configuration. If the remote devices are not registering with this Dns, those lookups will fail. But most scanners will then try netbios name lookup, udp 137. If you allow that, you should be able to get their windows names.
0
 
giltjrCommented:
In your DNS server you may need to setup a forwarder zone for the colo's IP subnet pointing to the dns server that holds their PTR records.

Right now without the filter you may be doing netbios name lookup as Boilermaker85 has suggested.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
dcawoodAuthor Commented:
The VPN connection has the same DNS Server as I do on the inside. I have allowed udp/137 udp/161 and udp 53 to the networks being scanned and the dns server.

When I do a scan from the inside, and get the machine names, I see on the logg monitor that it is resolving via 137 to the machine ip. Weird thing is, 137 is allowed and I dont see anything blocked in the logs.
0
 
dcawoodAuthor Commented:
The traffic is being built through the vpn asa and the core asa to the vdmz where the machines are?
0
 
Boilermaker85Commented:
Hard to tell from your last comment, since we dont have a picture of the network and which ASA config we need to look at.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now