How to open ports on Cisco ASA from off site through VPN connection

Posted on 2011-05-05
Last Modified: 2012-05-11
I have an ASA setup and when I am off-site and I connect to the ASA via Cisco VPN Client, I cannot connect to certain software packages that require connections using specific ports, plus if I run a tracert, I get no response at each hop, just the ip I am running the tracert on. Is there some setting I need to enter on the ASA to allow me to setup VPN so that anyone off-site can run run all software package like they were on-site and that I can get responses from all hops via a tracert command?
Question by:Greg27
    LVL 20

    Accepted Solution

    Ones the VPN connection is established there are two possibilities: either the whole traffic is tunnelled through the VPN (including the Internet one) or only a specified traffic is tunnelled, if split-tunnel and split-dns are configured for the VPN tunnel (on ASA site). In both cases the communication on all TCP and UDP ports to a tunnelled IP address goes through the VPN – that means, there is no need to open additional port on the firewall.

    If you are doing tracert to an internal IP address through the VPN, you will not see any internet hop, again, because the traffic is tunnelled.

    May be the only missing command on ASA is: same-security-traffic permit intra-interface
    LVL 7

    Assisted Solution

    Is the traffic routed on the main site? Then you will have problems if you have not created NAT rules for the traffic. Can you help us out with a description of the following:
    From IP (VPN assigned):?
    To IP (server):
    Running config from the ASA:

    Author Closing Comment

    Thanks for the help guys. I no longer have access to the firewall, so I cannot go any furhter with this issue, but I wanted to reward you both for the help. I am just not adding it to the knowledge base.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now