10-02-2018 01:52 AM - edited 03-12-2019 07:00 AM
Hi,
I have a working AnyConnect 4.6 remote access VPN solution in place on a Cisco FTD 2110 and FMC on software code 6.2.3.5. All user traffic comes via the VPN, no split-tunneling.
Now I want to apply a VPN Filter ACL to the group policy to restrict access to the network. It doesn't work.
When this extended ACL is defined, there is no ping/http/https to the LAN Servers based on DNS name or IP address. DNS resolution is working though.
Source: <remote-vpn-ip-pool> Destination: <local-lan-server-ip> Ports: Any Allow
When the ACL is set to basically permit any, ping/http/https to servers (and everything else for that matter) works.
Source: <remote-vpn-ip-pool> Destination: Any Ports: Any Allow
When there is no ACL defined under the group policy, basically empty field for the VPN Filter List attribute under group policy, it works as well.
Seems the contents of Filter ACL is creating this issue.
Any ideas.
Regards,
Solved! Go to Solution.
10-02-2018 02:38 AM
Discard that please. The server names configured via network objects and referenced in the ACL were incorrect. They pointed to the actual server IP rather then then the virtual IP's on them. Updating the ACL to reference the actual VIP made it work without issues. Sorry for the inconvenience.
Regards,
10-02-2018 02:38 AM
Discard that please. The server names configured via network objects and referenced in the ACL were incorrect. They pointed to the actual server IP rather then then the virtual IP's on them. Updating the ACL to reference the actual VIP made it work without issues. Sorry for the inconvenience.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide