01-03-2012 07:30 PM - edited 03-11-2019 03:09 PM
So, I've set up Anyconnect client access to an ASA-5510.
I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients. I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.
fw1# show nameif
Interface Name Security
Ethernet0/0.205 SECURE 90
Ethernet0/3.666 INTERNET 0
fw1# show int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0.205 10.1.24.1 YES CONFIG up up
Ethernet0/3.666 x.x.x.x YES CONFIG up up
In all cases, my anyconnect session is via the named interface "INTERNET", security-level 0.
From my client, I cannot reach 10.1.24.10. Incidentially, the host filters out ICMP, and is only open on tcp/80.
Can anyone suggest where I should apply an access-list permitting this traffic? I've already applied an inbound access-list to the INTERNET interface permitting all traffic from the pool assigned to the anyconnect clients. (Phase 3)
Or perhaps I've misunderstood entirely!
Any suggestions are appreciated. packet-tracer output below...
Regards,
Phil
fw1# packet-tracer input INTERNET tcp 10.1.6.1 5000 10.1.24.10 80 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.24.0 255.255.252.0 SECURE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INTERNET_access_in in interface INTERNET
access-list INTERNET_access_in extended permit ip object-group SITEVPNCLIENT any
object-group network SITEVPNCLIENT
network-object 10.1.6.0 255.255.255.128
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56823f8, priority=12, domain=permit, deny=false
hits=384, user_data=0xd554ac08, cs_id=0x0, flags=0x0, protocol=0
src ip=10.1.6.0, mask=255.255.255.128, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd61a0308, priority=7, domain=conn-set, deny=false
hits=1359, user_data=0xd619d118, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd55fdfe0, priority=0, domain=permit-ip-option, deny=true
hits=203456, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd616b8c0, priority=79, domain=punt, deny=true
hits=21, user_data=0xd4e82e08, cs_id=0x0, flags=0x0, protocol=0
src ip=10.1.6.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd51eac48, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=83, user_data=0x5000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.6.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: INTERNET
input-status: up
input-line-status: up
output-interface: SECURE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule