Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1590
Views
0
Helpful
4
Replies

ASA VPN, NAT, and ACL

Mr.Christian
Level 1
Level 1

‎02-17-2020 08:16 AM

So I have an ASA with a site-to-site VPN setup to say, remote network 10.10.10.0/24.  My inside network is PAT to the local VPN network of 55.55.55.55/32.  I can create ACL on the inside interface that affect traffic across the VPN tunnel just fine.

 

My question is for RA VPN anyconnect users.  I need to create an (outside,outsite) PAT rule and add the remote VPN network to their split tunnel.  But for ACL, no rules I create on the inside or outside interface seem to affect RA VPN user traffic across the VPN tunnel.  How might I make that work?

 

Thanks.

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎02-17-2020 08:24 AM

Hi,
You'll need "same-security-traffic permit intra-interface" to permit traffic to hairpin (enter and exit the same interface).

HTH
0 Helpful

Mr.Christian
Level 1
Level 1
In response to Rob Ingram

‎02-17-2020 08:43 AM

Correct, we already have a lot of traffic hairpinned on this ASA. That's all working fine.

My question was on how to ACL traffic coming in from Anyconnect RA VPN users.
0 Helpful

Rob Ingram
VIP
VIP
In response to Mr.Christian

‎02-17-2020 09:26 AM

What ACL have you defined and in which direction? Please run packet-tracer from the CLI and provide the output for review.
0 Helpful

Mr.Christian
Level 1
Level 1
In response to Rob Ingram

‎02-17-2020 11:27 AM

I tried just putting a ICMP4 block from the Anyconnect subnet to the remote VPN network range:

 

access-list inside_access_in_2 line 1 extended deny icmp any object DELTA-BI360_VPN_DST object-group ICMP4

access-list outside_access_in_2 line 1 extended deny icmp object Obj-10.10.22.0 object DELTA-BI360_VPN_DST object-group ICMP4

 

Keep in mind that even though the below packet-tracer is showing DROP, the ping still works from an Anyconnect client:

 

pack input outside icmp 10.10.22.23 8 0 10.162.0.7

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source dynamic Obj-10.10.22.0 EXT-72.1.110.145 destination static DELTA-BI360_VPN_DST DELTA-BI360_VPN_DST
Additional Information:
NAT divert to egress interface outside
Untranslate 10.162.0.7/0 to 10.162.0.7/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in_2 in interface outside
access-list outside_access_in_2 extended deny icmp object Obj-10.10.22.0 object DELTA-BI360_VPN_DST object-group ICMP4
object-group icmp-type ICMP4
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card