ASA5520 - VPN Client - Downloabale ACL - Not Two Way Traffic :(

accelyauk · ‎07-30-2010

I have a ASA5520 [v8.0(4)], to which a remote client using the "cisco VPN client" software connects to.

The user is authenticated to an ACS server [v4.0.1], which uses/assigns a Downloadable ACL. So far so good :-)

The Remote Client (10.11.12.5) is able to access devices/networks on the "inside" of the ASA5520 through the ACL rules.

e.g.

permit tcp host 10.11.12.5 10.11.10.0 255.255.255.0

permit tcp host 10.11.12.5 10.11.13.0 255.255.255.0

The problem I am having is with devices on the "internal" networks not being able to initiate a connection "outbound" to the remote client.

I have added the following rules to the DACL, but they are never matched, and the default "deny any" at the end of the DACL is matched which generates an Authorization denied message.

permit tcp 10.11.10.0 255.255.255.0 host 10.11.12.5

permit tcp 10.11.13.0 255.255.255.0 host 10.11.12.5

Q: Are Downloadable ACL's one-way only ?

Q: How do I enable "outbound" access to the VPN Client from "internal" networks/devices ?

ufuk guler · ‎08-07-2010

Hello Michael,

We have working senarios as yours. To access VPN clients i have done 2 steps. I have write sample rules below. I hope this works for you.

Reply 1 : DACL is valid for only one way traffic FROM VPN_CLIENTS TO INSIDE HOSTS.

Reply 2 :

1 - Added permit rules to INSIDE ACL. By this we can have access right to VPN CLIENTS.

access-list inside extended permit ip 10.11.10.0 255.255.255.0 10.11.12.0 255.255.255.0

access-list inside extended permit ip 10.11.13.0 255.255.255.0 10.11.12.0 255.255.255.0

2 - Defined nat exempt rules to pass traffic FROM INSIDE TO VPN CLIENTS without nat translation.

access-list VPN_NAT extended permit ip 10.11.10.0 255.255.255.0 10.11.12.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.11.13.0 255.255.255.0 10.11.12.0 255.255.255.0

nat (inside) 0 access-list VPN_NAT

Ufuk Guler