ASA 8.3 VPN ACL help...

Unanswered Question
Aug 20th, 2010
User Badges:

We have multiple VPN profiles configured for multiple remote VPN users, dependent on what their job function is determines which profile they get.


One in question is giving me fits.


Remote usere connects to co-lo and attempts to reach host at main office.  We have a site-to-site tunnel from the co-lo to the main office.  Regular employee's this works fine and I can't for the life of me figure out why the xuser group is any different. it seems as though traffic destined for the main office from the xuser group never gets pushed through the tunnel.


xuser: 10.10.22.0/24

ruser: 10.10.23.0/24

host: 10.1.1.52/32


If I do a packet trace from xuser > host it gets rejected:

......

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface inside
access-list Inside_access_in extended permit tcp object VPN_xuser object host eq www

......

Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:

......



If I do a packet tracer form ruser > host it gets past that and continues on:

....

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface inside <snipped>

........


Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: ALLOW
Config:
Additional Information:...and so on.


Can someone help me out?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dpatten78 Fri, 08/20/2010 - 09:54
User Badges:

xuser:

Additional Information:
Static translate 10.10.22.111/80 to 10.10.22.111/80


ruser:

Additional Information:
Static translate 10.10.23.108/80 to 10.10.23.108/80

Actions

This Discussion