I'm having issues with traffic between two sites connected 5505 to 5505 (lan to lan) ipsec tunnel. 99% functionality of traffic over the tunnel seems good with one exception. When a pc on Site A tries to access a web based(java embedded) mangagment tool for a IP_PBX at site B, some of the traffic is not making it resulting in a strange error. The client pc can ping and hit port 80 to prompt the web GUI, gets prompted for java download, and loads the web embedded java app. The java app itself (a CLI terminal to replicate if you were just telneting in) gives an error like it can't connect properly to the IP_PBX. We have other sites where the ipsec tunnel is between two 2800's and there are NO issues. The IP_PBX provider is suggesting we open up port 2000. I'm personally not familiar with the ASA's enough to uderstand why it would be blocking only certain ports on an ipsec tunnel. I'm especially confused since there is no NAT'ing involved with the traffic crossing this 5505 to 5505 ipsec tunnel.
Any suggestions would be greatly appreciated,
I can post configs if needed, but thought someone might already be familiar with this issue.
What about testing with the ACL I mentioned:
access-list test2000 permit tcp/udp any host x.x.x.x eq 2000
access-list test2000 permit ip any any
access-group test2000 out interface inside
The idea is to check if the ASA is forwarding the traffic to x.x.x.x on port 2000 outbound towards the inside network.
If you see hitcounts on the first statement, the ASA is indeed forwarding the packets and the problem might be with the server itelf or with the return traffic.