ASA 5520 8.0(4) port based vpn acl not working

Answered Question
Feb 2nd, 2009

Hi all,

I have a problem with an ASA (5520 8.0(4)) failing to work with a port based acl for remote clients. I have a simple one line acl for the split traffic, if I permit IP the tunnel works fine, if I lock it down to TCP 3389 then rdp will not work. I am seeing nothing in the logs and debug output, I have not had a problem with an identical setup (5510 8.0(4) and am at a loss to explain it.

Has anybody seen this problem before? I have nat exclusions etc and as I said, the tunnel only works when the acl permits all IP traffic between client and server.

Thx in advance

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 10 months ago

Split tunnel list can only be IP, if you want to restrict what ports are sent via the vpn tunnel for your vpn clients you need to use VPN Filters under the group policy:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
qubenetworks Tue, 02/03/2009 - 01:02

Many thanks, that has cleared it up for me, interestingly the port based acl does seem to work on the webvpn.

Actions

This Discussion