Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
3
Replies

Traffic initiated from ASA inside interface is blocked on return through VPN ACL

paulstone80
Level 3
Level 3

‎10-14-2010 08:13 AM - edited ‎03-11-2019 11:54 AM

Hi,

I am trying to control the access of 'Remote Access VPN' users to our internal network, by applying filters to the various Group Policies we have configured on our ASA. The idea being that User Group A can access one set of servers, and User Group B can access a different set of servers, allowing us to control where 3rd party users and suppliers can go within our network.

So far, this works for traffic that is initiated from the remote client, and is destined for the internal network. But it fails for traffic that is initiated within the internal network, and is destined to the remote vpn client. For example, if I try to initiate a Remote Desktop session (TCP/3389) from the internal network to the Remote VPN Client, the connection just times out, or if i try to browse the C$ of the remote system, the connection never establishes.

I have managed to get the traffic to return from the Remote VPN Client by adding an 'any any ip' rule to the ACL filter assigned to the Group Policy. Obvioulsy I don't want to use an 'any any ip' because it negates the use of filtering the traffic in the first place.

Does anyone have any ideas about what is preventing the traffic from getting back into the internal network?

I would have thought that traffic that was outbound from the inside  interface, would be able to return by default, and wouldn't need any holes  punching on the return ACL.

Thanks,


Paul

HTH Paul ****Please rate useful posts****
Labels:
0 Helpful
3 Replies 3

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎10-14-2010 09:38 AM

so what is happening here if i undersatnd you right is you have applied vpn filter in the group policy, you want restricted access f

rom remote clients to internal network, but from internal to remote clients when initiate from inter

nal you want it to go through

this aint gonna happen currently with the way vpn filters are designed, they will not look at any connection entries

so what you can do is probabaly say permit ip any any on filter or actually remove them and put an acl on the internal interface in outbound direction restrict access from that, that way you achieve what you are trying to do about punching holes for return traffic depening on connection entries

hope it helps

0 Helpful

paulstone80
Level 3
Level 3
In response to Jitendriya Athavale

‎10-16-2010 04:52 AM

Hi Jathaval,

Thanks for your response.

If the reason this doesn't work is by design, then I will try a different approach, probably restricting access from the internal to the remote vpn network as suggested.

Thanks,

Paul

HTH Paul ****Please rate useful posts****
0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to paulstone80

‎10-16-2010 08:53 PM

hi Paul,

i am glad i could be of help...please let us know if this has helped you by rating the answer or marking this question as resolved/answered

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card