Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Vendor Internet access from sperate DMZ

I have a asa5510 that we created a seperate DMZ for vendorss to have internet access when they are in the building.

We have http, https, dns and isakmp allowed outbound on this DMZ.

We have used it before with no problem, but one vendor came in and needed access to his VON connection.

They aces for port 10000 allowed outbound.

This was allowed, the cisco client established a connection and requested is user name and password.

When this was entered, the padlock closed and looked like an established connection.

After about a minute, the client closes the connection saying the remote host is no longer responding.

If the tunnel is created via the client, do I need any additional lines allowed for specific networks he needs to get to, or should everything be allowed via the established VPN connection?

2 REPLIES
Hall of Fame Super Blue

Re: Vendor Internet access from sperate DMZ

Richard

"if the tunnel is created via the client, do I need any additional lines allowed for specific networks he needs to get to, or should everything be allowed via the established VPN connection?"

So the client was establishing a VPN from his laptop through the firewall to his companies network ?

If so once the tunnel is created all traffic should be allowed via the tunnel ie. in effect you are punching a hole through your firewall. The firewall only sees IPSEC traffic, it does not know about the remote networks as they will be tunneled through the VPN.

Are you Natting source addresses as they go through the firewall ?

Jon

New Member

Re: Vendor Internet access from sperate DMZ

Thanks jon,

Yes, it is being NATed.

It has worked for others, and I figured what you posted was correct, but just wanted to make sure I wa not missing anything.

I suspect it is on their end.

162
Views
5
Helpful
2
Replies