11-10-2015 06:44 AM
I am using RDP as an example but it looks like all services are affected.
My AnyConnect clients can RDP to servers on my inside network, but when I try to RDP from inside servers to my Anyconnect clients, the firewall is blocking the traffic.
access-list inside_access_in denied tcp for user '<unknown>' inside/172.18.1.241(56547) -> outside/172.22.64.7(3389) hit-cnt 1 first hit [0xbe9efe96, 0x0]
All my rules are setup correctly, but I must be missing something
11-10-2015 07:01 AM
Hi
It looks like access-list "inside_access_in" is denying the interesing traffic.
Can you please allow the internal users to communicate to Anyconnect clients in this access-list.
access-list inside_access_in extended permit ip 172.18.1.0 255.255.255.0 172.22.64.0 255.255.255.0
If there are any issues, please share the packet tracer (detailed) output.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
11-10-2015 07:28 AM
I do have that access-list defined
access-list inside_access_in extended permit ip object-group inside_networks object VPN_AllUsers
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static any any destination static inside_networks inside_networks
Additional Information:
NAT divert to egress interface outside
Untranslate 172.22.64.7/3389 to 172.22.64.7/3389
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object-group inside_networks object VPN_AllUsers
access-list inside_access_in remark Exchange access over the VPN
object-group network inside_networks
network-object object 172.18.0.0
network-object object 172.19.0.0
network-object object 172.31.254.0
network-object object 172.20.0.0
network-object object 172.21.0.0
group-object S2S_Offices
network-object object 192.168.51.0
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static any any destination static inside_networks inside_networks
Additional Information:
Static translate 172.18.1.241/1065 to 172.18.1.241/1065
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: WEBVPN-SVC
Subtype: out
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
11-10-2015 07:36 AM
Check the group-policy associated to VPN users. The VPN filter is causing the drop.
You can remove the VPN filter from group-policy and give it a try and then tweak the filter accordingly.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
11-10-2015 10:30 AM
I removed the vpn filter to none and still getting blocked. I am going to call TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide