Comprehensive data protection for all workloads
Post Reply
csanburn
Novice
Posts: 8
Liked: never
Joined: Nov 05, 2009 3:28 pm
Full Name: Chris Sanburn
Contact:

Veeam firewall requirements

Post by csanburn »

I'm revisiting an issue I had before with replicating across a WAN. I can replicate to my target ESX server from within my own network just fine. But when I try from off site locations it fails:

Cannot connect to server [ip-of-veeam-server:2500]

I'm using this in my ASA firewall to allow all possible ports that I thought Veeam would need. It allows me to add the server and connect to it, but the above error occurs after about 5 minutes. An 8mb file is created on the target vmware server.


access-list outside_in extended permit tcp any host 1.2.3.4 eq ssh
access-list outside_in extended permit tcp any host 1.2.3.4 eq netbios-ssn
access-list outside_in extended permit udp any host 1.2.3.4 eq netbios-ns
access-list outside_in extended permit udp any host 1.2.3.4 eq netbios-dgm
access-list outside_in extended permit tcp any host 1.2.3.4 eq 445
access-list outside_in extended permit tcp any host 1.2.3.4 eq 135
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2500
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2501
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2502
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2503
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2504
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2505
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2506
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2507
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2508
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2509
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2510
access-list outside_in extended permit tcp any host 1.2.3.4 eq https
access-list outside_in extended permit udp any host 1.2.3.4 eq 2500
access-list outside_in extended permit udp any host 1.2.3.4 eq 2501
access-list outside_in extended permit udp any host 1.2.3.4 eq 2502
access-list outside_in extended permit udp any host 1.2.3.4 eq 2503
access-list outside_in extended permit udp any host 1.2.3.4 eq 2504
access-list outside_in extended permit udp any host 1.2.3.4 eq 2505
access-list outside_in extended permit udp any host 1.2.3.4 eq 2506
access-list outside_in extended permit udp any host 1.2.3.4 eq 2507
access-list outside_in extended permit udp any host 1.2.3.4 eq 2508
access-list outside_in extended permit udp any host 1.2.3.4 eq 2509
access-list outside_in extended permit udp any host 1.2.3.4 eq 2510

static (inside,outside) 1.2.3.4 10.1.0.51 netmask 255.255.255.255

Anyone see if I have anything missing from the ports list? I didn't think UDP was required but I added for testing to see if it helped, and it didn't.
ebernard
Influencer
Posts: 10
Liked: never
Joined: Jan 01, 2006 1:01 am
Full Name: Emmanuel Bernard
Location: France
Contact:

Re: Veeam firewall requirements

Post by ebernard »

Csanburn,

It seems that required ports are open: 22, 443, and at least 2500 (for one concurrent job).

Have you tried to open a ssh session or on 2500 port within veam backup installation using putty for example?
Please,do it and tell us result, it's just to check if you get same error message?


Thanks
Emmanuel
csanburn
Novice
Posts: 8
Liked: never
Joined: Nov 05, 2009 3:28 pm
Full Name: Chris Sanburn
Contact:

Re: Veeam firewall requirements

Post by csanburn »

I was able to open an ssh session with port 22 to my target ESX server. If I understood correctly I was to use putty to try and open an ssh session using port 2500 as well, which I tried and got a connection refused message.

PuTTY Fatal Error
Network error: Connection refused

But I also get that error when trying to ssh to port 2500 from the local network. where a replication job works fine.

And an esxcfg-firewall -q gave this:

Chain INPUT (policy ACCEPT 99275 packets, 98M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 94086 packets, 97M bytes)
pkts bytes target prot opt in out source destination


Neither incoming nor outgoing blocked by default
Enabled services: CIMSLP VCB swISCSIClient CIMHttpsServer vpxHeartbeats sshServer webAccess CIMHttpServer

Opened ports:
FastSCP : port 2500:2550 tcp.in tcp.out
FastSCP : port 2500:2510 tcp.in tcp.out
veeamAgent : port 2501 tcp.out
Added Iprules:
csanburn
Novice
Posts: 8
Liked: never
Joined: Nov 05, 2009 3:28 pm
Full Name: Chris Sanburn
Contact:

Re: Veeam firewall requirements

Post by csanburn »

Well, unless I can find something else to try and get this to work it looks like the boss is wanting to try another backup solution. Neither Veeam tech support or our vendors tech support has been able to find a solution.
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 123 guests