ASA5520 - VPN Client - Downloabale ACL - Not Two Way Traffic :(

Unanswered Question
Jul 30th, 2010
User Badges:

I have a ASA5520 [v8.0(4)], to which a remote client using the "cisco VPN client" software connects to.

The user is authenticated to an ACS server [v4.0.1], which uses/assigns a Downloadable ACL. So far so good :-)

The Remote Client ( is able to access devices/networks on the "inside" of the ASA5520 through the ACL rules.


permit tcp host

permit tcp host

The problem I am having is with devices on the "internal" networks not being able to initiate a connection "outbound" to the remote client.

I have added the following rules to the DACL, but they are never matched, and the default "deny any" at the end of the DACL is matched which generates  an Authorization denied message.

permit tcp host

permit tcp host

Q: Are Downloadable ACL's one-way only ?

Q: How do I enable "outbound" access to the VPN Client from "internal" networks/devices ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ufuk guler Sat, 08/07/2010 - 02:18
User Badges:

Hello Michael,

           We have working senarios as yours. To access VPN clients i have done 2 steps. I have write sample rules below. I hope this works for you.

Reply  1 : DACL is valid for only one way traffic FROM VPN_CLIENTS TO INSIDE HOSTS.

Reply  2 :

          1 - Added permit rules to INSIDE ACL. By this we can have access right to VPN CLIENTS.

          access-list inside extended permit ip

          access-list inside extended permit ip

          2 - Defined nat exempt rules to pass traffic FROM INSIDE TO VPN CLIENTS without nat translation.

          access-list VPN_NAT extended permit ip

          access-list VPN_NAT extended permit ip

          nat (inside) 0 access-list VPN_NAT

Ufuk Guler


This Discussion

Related Content