Site to Site VPN: Need to open port for AVG virus software

Unanswered Question
Feb 20th, 2009
User Badges:

I replaced my NetGear FVS338 with ASA 5505 on my web server network. So now I have ASA 5505 on both of my networks.

Exchange server:

Web Server:

Site to Site VPN is working.

RDP (Remote desktop) is working.

AVG Virus software manager on can't update definition files on

AVG requires TCP 6150, TCP 135 and UDP 135 ports.

I never had to open any ports on the NetGear VPN tunnel.

But I assume since it's not working, I need to do this on the ASA 5505.

I've tried different NAT and Firewall port configurations and none have worked.

Any help would be greatly appreciated.

I mostly use ASDM, but I command line if I have to.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Ivan Martinon Fri, 02/20/2009 - 15:27
User Badges:
  • Cisco Employee,

By default all ports should be opened on your ASA when you define a vpn site to site tunnel, unless of course the command "sysopt connection permit-vpn" is off, if you do not have that off then try to gather some logs on both firewalls making sure those are capture when the update is performed we should see if the asa is blocking anything.

daniel8751 Fri, 02/20/2009 - 15:40
User Badges:

Thanks for your response.

sysopt connection permit-vpn

How do I know if this is off?

I searched my running config and don't see anything about sysopt. Does that mean it's on?

Is there an example of what the line would look like in the running config or where I would go in ASDM to see if it's on or not?


Ivan Martinon Fri, 02/20/2009 - 15:43
User Badges:
  • Cisco Employee,

The fact that you don't see it means that it is on by default, check the "show run all sysopt" you should see it now.

daniel8751 Fri, 02/20/2009 - 19:24
User Badges:

Thanks - I figured it out - was a rights issue on the Exchange Server - nothing to do with firewall.

Once I knew it wasn't the firewall, made it a lot easier to find.


This Discussion