I've got an ASA 5505 set up as an IPSec-VPN server. The VPN client is able to connect okay and can initiate TCP sessions with hosts on the corporate network. But those hosts cannot initiate TCP sessions with the client; the ASA rejects their packets instead of sending them through the encrypted tunnel.
This sounds like a firewall configuration problem. But the ASA is not set up to firewall VPN connections at all, as far as I can tell.
Can anyone explain what's wrong or where I should look?