Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA 8.3 VPN ACL help...

We have multiple VPN profiles configured for multiple remote VPN users, dependent on what their job function is determines which profile they get.

One in question is giving me fits.

Remote usere connects to co-lo and attempts to reach host at main office.  We have a site-to-site tunnel from the co-lo to the main office.  Regular employee's this works fine and I can't for the life of me figure out why the xuser group is any different. it seems as though traffic destined for the main office from the xuser group never gets pushed through the tunnel.

xuser: 10.10.22.0/24

ruser: 10.10.23.0/24

host: 10.1.1.52/32

If I do a packet trace from xuser > host it gets rejected:

......

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface inside
access-list Inside_access_in extended permit tcp object VPN_xuser object host eq www

......

Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:

......

If I do a packet tracer form ruser > host it gets past that and continues on:

....

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface inside <snipped>

........

Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: ALLOW
Config:
Additional Information:...and so on.

Can someone help me out?

2 REPLIES
Cisco Employee

Re: ASA 8.3 VPN ACL help...

please check if you have identity nat for this specific traffic

Community Member

Re: ASA 8.3 VPN ACL help...

xuser:

Additional Information:
Static translate 10.10.22.111/80 to 10.10.22.111/80

ruser:

Additional Information:
Static translate 10.10.23.108/80 to 10.10.23.108/80

1633
Views
0
Helpful
2
Replies
CreatePlease to create content