09-15-2009 12:44 PM - edited 03-11-2019 09:15 AM
I have a asa5510 that we created a seperate DMZ for vendorss to have internet access when they are in the building.
We have http, https, dns and isakmp allowed outbound on this DMZ.
We have used it before with no problem, but one vendor came in and needed access to his VON connection.
They aces for port 10000 allowed outbound.
This was allowed, the cisco client established a connection and requested is user name and password.
When this was entered, the padlock closed and looked like an established connection.
After about a minute, the client closes the connection saying the remote host is no longer responding.
If the tunnel is created via the client, do I need any additional lines allowed for specific networks he needs to get to, or should everything be allowed via the established VPN connection?
09-15-2009 03:51 PM
Richard
"if the tunnel is created via the client, do I need any additional lines allowed for specific networks he needs to get to, or should everything be allowed via the established VPN connection?"
So the client was establishing a VPN from his laptop through the firewall to his companies network ?
If so once the tunnel is created all traffic should be allowed via the tunnel ie. in effect you are punching a hole through your firewall. The firewall only sees IPSEC traffic, it does not know about the remote networks as they will be tunneled through the VPN.
Are you Natting source addresses as they go through the firewall ?
Jon
09-16-2009 03:24 AM
Thanks jon,
Yes, it is being NATed.
It has worked for others, and I figured what you posted was correct, but just wanted to make sure I wa not missing anything.
I suspect it is on their end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide