[vpn-help] general question: need to check for specific ports over vpn
Matthew Grooms
mgrooms at shrew.net
Fri Jul 9 18:02:34 CDT 2010
On 7/8/2010 10:43 AM, gregmail at outtacyte.com wrote:
> Hi all,
>
> How can I tell if certain ports are being allowed over the vpn
> connection or are being blocked?
>
> I have a monitoring product that I'm trying to connect to a machine
> across the Shrew-Cisco506 VPN and it's not connecting.
>
> I can get to the machine in question with both ssh, http and https (22,
> 80, & 443) but no go for the monitoring product.
>
> The monitoring product does connect to a machine in my network with no
> issues at all, just not to the one over the VPN.
>
> The target machine is a VMware host (ESXi) and getting information from
> it is virtually (pun intended) impossible.
>
While IKE/IPsec is capable of using IP protocol and port selectors when
defining security policies and negotiating security associations, most
VPN clients only have granularity down to the IP address level. The
reason for this is simple. Routes are typically used to influence which
local address is used to source traffic. Basic route tables don't take
the IP protocol, source IP or port information into consideration. It
only cares about destination address. This makes it very difficult for a
client to force ssh traffic over IPsec but allow http traffic over your
local internet connection when the destination IP is the same for both
TCP sessions.
In other words, if you can connect to the host using ssh, http and
https, I can't imagine why your wouldn't be able to connect to any other
port on the same host ... unless its being blocked by the VPN gateway
firewall policy or an intermediary firewall policy.
Hope this helps,
-Matthew
More information about the vpn-help
mailing list