Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5520 - VPN Client - Downloabale ACL - Not Two Way Traffic :(

I have a ASA5520 [v8.0(4)], to which a remote client using the "cisco VPN client" software connects to.

The user is authenticated to an ACS server [v4.0.1], which uses/assigns a Downloadable ACL. So far so good :-)

The Remote Client (10.11.12.5) is able to access devices/networks on the "inside" of the ASA5520 through the ACL rules.

e.g.

permit tcp host 10.11.12.5 10.11.10.0 255.255.255.0

permit tcp host 10.11.12.5 10.11.13.0 255.255.255.0

The problem I am having is with devices on the "internal" networks not being able to initiate a connection "outbound" to the remote client.

I have added the following rules to the DACL, but they are never matched, and the default "deny any" at the end of the DACL is matched which generates  an Authorization denied message.

permit tcp 10.11.10.0 255.255.255.0 host 10.11.12.5

permit tcp 10.11.13.0 255.255.255.0 host 10.11.12.5

Q: Are Downloadable ACL's one-way only ?

Q: How do I enable "outbound" access to the VPN Client from "internal" networks/devices ?

1 REPLY
New Member

Re: ASA5520 - VPN Client - Downloabale ACL - Not Two Way Traffic

Hello Michael,

           We have working senarios as yours. To access VPN clients i have done 2 steps. I have write sample rules below. I hope this works for you.

Reply  1 : DACL is valid for only one way traffic FROM VPN_CLIENTS TO INSIDE HOSTS.

Reply  2 :

          1 - Added permit rules to INSIDE ACL. By this we can have access right to VPN CLIENTS.

          access-list inside extended permit ip 10.11.10.0 255.255.255.0 10.11.12.0 255.255.255.0

          access-list inside extended permit ip 10.11.13.0 255.255.255.0 10.11.12.0 255.255.255.0

          2 - Defined nat exempt rules to pass traffic FROM INSIDE TO VPN CLIENTS without nat translation.

          access-list VPN_NAT extended permit ip 10.11.10.0 255.255.255.0 10.11.12.0 255.255.255.0

          access-list VPN_NAT extended permit ip 10.11.13.0 255.255.255.0 10.11.12.0 255.255.255.0

          nat (inside) 0 access-list VPN_NAT

Ufuk Guler

869
Views
0
Helpful
1
Replies