vpn-filter permit any any blocks all AnyConnect traffic
I am using AnyConnect with Radius on a asa5510. Radius defines which group-policy should apply to each AnyConnect client.
I'd like to use a different vpn-filter for each group-policy group. With no vpn-filter defined, AnyConnect clients can communicate with inside networks and outside (via nat). However, defining any vpn-filter asa group-policy attribute seems to drop all connectivity for AnyConnect client tunnels in that group. Even something as simple as:
access-list FILTER1 extended permit ip any any
group-policy GROUP1 attributes
vpn-filter value FILTER1
...seems to drop all traffic. Deleting the single vpn-filter line restores connectivity.
I'm unsure how to packet-trace traffic entering via AnyConnect to see where the problem lies.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...