[vpn-help] general question: need to check for specific ports over vpn

Matthew Grooms mgrooms at shrew.net
Fri Jul 9 18:02:34 CDT 2010


On 7/8/2010 10:43 AM, gregmail at outtacyte.com wrote:
> Hi all,
>
> How can I tell if certain ports are being allowed over the vpn
> connection or are being blocked?
>
> I have a monitoring product that I'm trying to connect to a machine
> across the Shrew-Cisco506 VPN and it's not connecting.
>
> I can get to the machine in question with both ssh, http and https (22,
> 80, & 443) but no go for the monitoring product.
>
> The monitoring product does connect to a machine in my network with no
> issues at all, just not to the one over the VPN.
>
> The target machine is a VMware host (ESXi) and getting information from
> it is virtually (pun intended) impossible.
>

While IKE/IPsec is capable of using IP protocol and port selectors when 
defining security policies and negotiating security associations, most 
VPN clients only have granularity down to the IP address level. The 
reason for this is simple. Routes are typically used to influence which 
local address is used to source traffic. Basic route tables don't take 
the IP protocol, source IP or port information into consideration. It 
only cares about destination address. This makes it very difficult for a 
client to force ssh traffic over IPsec but allow http traffic over your 
local internet connection when the destination IP is the same for both 
TCP sessions.

In other words, if you can connect to the host using ssh, http and 
https, I can't imagine why your wouldn't be able to connect to any other 
port on the same host ... unless its being blocked by the VPN gateway 
firewall policy or an intermediary firewall policy.

Hope this helps,

-Matthew



More information about the vpn-help mailing list