Unable to access VPN users from Inside network

genexjeff · ‎11-10-2015

I am using RDP as an example but it looks like all services are affected.

My AnyConnect clients can RDP to servers on my inside network, but when I try to RDP from inside servers to my Anyconnect clients, the firewall is blocking the traffic.

access-list inside_access_in denied tcp for user '<unknown>' inside/172.18.1.241(56547) -> outside/172.22.64.7(3389) hit-cnt 1 first hit [0xbe9efe96, 0x0]

All my rules are setup correctly, but I must be missing something

Dinesh Moudgil · ‎11-10-2015

Hi

It looks like access-list "inside_access_in" is denying the interesing traffic.
Can you please allow the internal users to communicate to Anyconnect clients in this access-list.

access-list inside_access_in extended permit ip 172.18.1.0 255.255.255.0 172.22.64.0 255.255.255.0

If there are any issues, please share the packet tracer (detailed) output.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

genexjeff · ‎11-10-2015

I do have that access-list defined

access-list inside_access_in extended permit ip object-group inside_networks object VPN_AllUsers

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static any any destination static inside_networks inside_networks
Additional Information:
NAT divert to egress interface outside
Untranslate 172.22.64.7/3389 to 172.22.64.7/3389

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object-group inside_networks object VPN_AllUsers
access-list inside_access_in remark Exchange access over the VPN
object-group network inside_networks
network-object object 172.18.0.0
network-object object 172.19.0.0
network-object object 172.31.254.0
network-object object 172.20.0.0
network-object object 172.21.0.0
group-object S2S_Offices
network-object object 192.168.51.0
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static any any destination static inside_networks inside_networks
Additional Information:
Static translate 172.18.1.241/1065 to 172.18.1.241/1065

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: WEBVPN-SVC
Subtype: out
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Dinesh Moudgil · ‎11-10-2015

Check the group-policy associated to VPN users. The VPN filter is causing the drop.
You can remove the VPN filter from group-policy and give it a try and then tweak the filter accordingly.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

genexjeff · ‎11-10-2015

I removed the vpn filter to none and still getting blocked. I am going to call TAC