ASA configuration - Blocked ports

bberry · ‎02-08-2017

I have an ASA that has been in production for quite a while and been working well with our users and vendors. I have a new PLC vendor that is saying they are having issues when using the VPN to connect to their equipment. They can physically connect to everything but apparently have an HMI devices that they are unable to access. This is how they are trying to describe the issue to me...

It is working now. I can connect to the PLC of all three cranes.

What’s still not working is the remote HMI.

This has never been working here in Austria. It used to work from the hotel, or the airport, or while I was still in the US

TCP Port 102, 8000-8030, 80, 441, 5355(multicast), 1900(multicast) ; FTP Port: 20,21 should not be blocked anywhere.

I am trying to see if there MAY be something blocked on the ASA on this end. I have never configured anything that I can remember by port unless it was left for the person before me. The access-list just list the IP addresses they have access to and nothing else.

Any ideas on what I can check on this end or have them check on their end? Are there any limitations in regards to maybe ports that can be placed onto the VPN tunnel? If it worked at the hotel or airport here in the states could this be something that needs to be tweaked on the firewall at thir home company?

mickyq · ‎02-09-2017

I dont think the geo location will have any affect on connection. Its probably more to to with how they connect. Are they using the same device to connect from Austria as the were from other locations or are they on a LAN behind a firewall.

try a packet capture on the ASA.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer