Vendor Internet access from sperate DMZ

wilson_1234_2 · ‎09-15-2009

I have a asa5510 that we created a seperate DMZ for vendorss to have internet access when they are in the building.

We have http, https, dns and isakmp allowed outbound on this DMZ.

We have used it before with no problem, but one vendor came in and needed access to his VON connection.

They aces for port 10000 allowed outbound.

This was allowed, the cisco client established a connection and requested is user name and password.

When this was entered, the padlock closed and looked like an established connection.

After about a minute, the client closes the connection saying the remote host is no longer responding.

If the tunnel is created via the client, do I need any additional lines allowed for specific networks he needs to get to, or should everything be allowed via the established VPN connection?

Jon Marshall · ‎09-15-2009

Richard

"if the tunnel is created via the client, do I need any additional lines allowed for specific networks he needs to get to, or should everything be allowed via the established VPN connection?"

So the client was establishing a VPN from his laptop through the firewall to his companies network ?

If so once the tunnel is created all traffic should be allowed via the tunnel ie. in effect you are punching a hole through your firewall. The firewall only sees IPSEC traffic, it does not know about the remote networks as they will be tunneled through the VPN.

Are you Natting source addresses as they go through the firewall ?

Jon

wilson_1234_2 · ‎09-16-2009

Thanks jon,

Yes, it is being NATed.

It has worked for others, and I figured what you posted was correct, but just wanted to make sure I wa not missing anything.

I suspect it is on their end.