02-17-2020 08:16 AM
So I have an ASA with a site-to-site VPN setup to say, remote network 10.10.10.0/24. My inside network is PAT to the local VPN network of 55.55.55.55/32. I can create ACL on the inside interface that affect traffic across the VPN tunnel just fine.
My question is for RA VPN anyconnect users. I need to create an (outside,outsite) PAT rule and add the remote VPN network to their split tunnel. But for ACL, no rules I create on the inside or outside interface seem to affect RA VPN user traffic across the VPN tunnel. How might I make that work?
Thanks.
02-17-2020 08:24 AM
02-17-2020 08:43 AM
02-17-2020 09:26 AM
02-17-2020 11:27 AM
I tried just putting a ICMP4 block from the Anyconnect subnet to the remote VPN network range:
access-list inside_access_in_2 line 1 extended deny icmp any object DELTA-BI360_VPN_DST object-group ICMP4 access-list outside_access_in_2 line 1 extended deny icmp object Obj-10.10.22.0 object DELTA-BI360_VPN_DST object-group ICMP4
Keep in mind that even though the below packet-tracer is showing DROP, the ping still works from an Anyconnect client:
pack input outside icmp 10.10.22.23 8 0 10.162.0.7 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (outside,outside) source dynamic Obj-10.10.22.0 EXT-72.1.110.145 destination static DELTA-BI360_VPN_DST DELTA-BI360_VPN_DST Additional Information: NAT divert to egress interface outside Untranslate 10.162.0.7/0 to 10.162.0.7/0 Phase: 2 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group outside_access_in_2 in interface outside access-list outside_access_in_2 extended deny icmp object Obj-10.10.22.0 object DELTA-BI360_VPN_DST object-group ICMP4 object-group icmp-type ICMP4 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide