Traffic initiated from ASA inside interface is blocked on return through VPN ACL
I am trying to control the access of 'Remote Access VPN' users to our internal network, by applying filters to the various Group Policies we have configured on our ASA. The idea being that User Group A can access one set of servers, and User Group B can access a different set of servers, allowing us to control where 3rd party users and suppliers can go within our network.
So far, this works for traffic that is initiated from the remote client, and is destined for the internal network. But it fails for traffic that is initiated within the internal network, and is destined to the remote vpn client. For example, if I try to initiate a Remote Desktop session (TCP/3389) from the internal network to the Remote VPN Client, the connection just times out, or if i try to browse the C$ of the remote system, the connection never establishes.
I have managed to get the traffic to return from the Remote VPN Client by adding an 'any any ip' rule to the ACL filter assigned to the Group Policy. Obvioulsy I don't want to use an 'any any ip' because it negates the use of filtering the traffic in the first place.
Does anyone have any ideas about what is preventing the traffic from getting back into the internal network?
I would have thought that traffic that was outbound from the inside interface, would be able to return by default, and wouldn't need any holes punching on the return ACL.
Re: Traffic initiated from ASA inside interface is blocked on re
so what is happening here if i undersatnd you right is you have applied vpn filter in the group policy, you want restricted access f
rom remote clients to internal network, but from internal to remote clients when initiate from inter
nal you want it to go through
this aint gonna happen currently with the way vpn filters are designed, they will not look at any connection entries
so what you can do is probabaly say permit ip any any on filter or actually remove them and put an acl on the internal interface in outbound direction restrict access from that, that way you achieve what you are trying to do about punching holes for return traffic depening on connection entries
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :