We are in the process of installing Cisco ASA 5540s (that will replace some VPN 3030s) and I have a question regarding access-lists.
Our remote access users are connecting to the ASAs using Cisco VPN Clients (version 4.8.02.0010). We are running version 8.0(4) on the ASAs.
We have the following ACL applied to the group that prevents access to the local internal subnet, but allows traffic to everything else.
access-list Group-Filter remark [ Filter for VPN Clients accessing internal networks ]
access-list Group-Filter extended deny ip any 10.10.10.0 255.255.255.0
access-list Group-Filter extended permit ip any any
We have enabled the default "sysopt connection permit-vpn", so that the VPN client traffic should bypass the interface ACL.
My question is why dropped packets are still indicated in the inbound outside access list that looks as follows:
access-list outside_access_in remark [ External interface access to internal networks ]
access-list outside_access_in extended deny ip any any log
When I establish a new connection from the VPN client to an internal host the counter is increased. If I continue to access the same server no additional packets are dropped by the access list. If I then connect to a new server another packet is dropped, and so on.
Also, even if I enable debugging logging I am not able to see the dropped packets in the log. I only see the access list count increase.
I would very much appreciate if someone could explain this and if there is a fix so that no packets are dropped!
Thanks in advance for your help!