Solved

Cisco ASA IPSec VPN - Is port forwarding needed?

Posted on 2014-12-17
1
235 Views
Last Modified: 2014-12-19
I have a Cisco ASA 5525 which serves only to provide IPSec VPN services to an outside business client.  There is one tunnel and all traffic is allowed.  The external interface of the ASA has a private IP address on it.  We have a router connected to the ISP that NAT's it's public IP to the ASA's external interface.  So the firewall's external interface appears as this ISP public IP.

The client needs to access hardware devices on the ASA's internal interface (192.168.97.0/24).  These hardware devices listen on port 5015.  The client cannot connect to the devices using the 192.168.97.x addresses across the VPN tunnel.  Do I need to do some sort of port forwarding (NAT) from the external ISP address to the ASA's internal network?  Shouldn't the client be able to see the hardware devices on the ASA's internal interface and access them via their private IP addresses? (We can access their servers across the VPN going the other way even though they have 10.x.x.x addresses)

Hopefully I'm not making this sound more complicated than it is.  Please feel free to ask clarifying questions.

I really need to solve this problem ASAP so thanks in advance for your assistance!!
0
Comment
Question by:CipherUser
1 Comment
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40506679
NAT and routing are set up correctly, otherwise traffic would not flow at all. At least if the tunnel is up, no matter which partner starts communication.
It looks like one or both of the firewall/VPN devices blocks traffic initiated by your business client.
For Windows clients with active Windows Firewall,  you'll need to allow the remote network addresses too.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question