I am facing weired problem with one of our VPN tunnel. We have around 10 tunnels configured in our ASA 5520. Specific hosts are allowed in interesting traffic from both the end and are able to ping each other. But unable to telnet on some specific ports TCP/3389, TCP/53, TCP/389, TCP/445 etc. I have tried by giving IP access to crypto access-list but had no luck.
Issue got resolved after applying normal port based access-list on inside interface, which means access is working through normal access-list instead of crypto access-list. Wherein for other tunnels we have not applied any access-list on inside interface but still they are working fine.
What could be the issue? Are these ports require special access? Our OS version is 8.3(2) in which we do not required NAT 0 command for VPN tunnel.
Quick turnaround will be much appriciated.
Thanks in advance.
Seems need add inspection trafic for
TCP/3389, TCP/53, TCP/389, TCP/445.
Thanks for your reply. I have tried by enabling ils (tcp/389) port but still unable to telnet after removing access-list on inside interface. Also is there any way i can modify default globlal_policy?
For inspecting your trafic, in global_policy follow this template:
match port tcp eq
policy-map global_policy must already exist and "service-policy global_policy global" command present in config.