?
Solved

Cisco ASA IPSec VPN - Is port forwarding needed?

Posted on 2014-12-17
1
Medium Priority
?
249 Views
Last Modified: 2014-12-19
I have a Cisco ASA 5525 which serves only to provide IPSec VPN services to an outside business client.  There is one tunnel and all traffic is allowed.  The external interface of the ASA has a private IP address on it.  We have a router connected to the ISP that NAT's it's public IP to the ASA's external interface.  So the firewall's external interface appears as this ISP public IP.

The client needs to access hardware devices on the ASA's internal interface (192.168.97.0/24).  These hardware devices listen on port 5015.  The client cannot connect to the devices using the 192.168.97.x addresses across the VPN tunnel.  Do I need to do some sort of port forwarding (NAT) from the external ISP address to the ASA's internal network?  Shouldn't the client be able to see the hardware devices on the ASA's internal interface and access them via their private IP addresses? (We can access their servers across the VPN going the other way even though they have 10.x.x.x addresses)

Hopefully I'm not making this sound more complicated than it is.  Please feel free to ask clarifying questions.

I really need to solve this problem ASAP so thanks in advance for your assistance!!
0
Comment
Question by:CipherUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 70

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 40506679
NAT and routing are set up correctly, otherwise traffic would not flow at all. At least if the tunnel is up, no matter which partner starts communication.
It looks like one or both of the firewall/VPN devices blocks traffic initiated by your business client.
For Windows clients with active Windows Firewall,  you'll need to allow the remote network addresses too.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month10 days, 23 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question