Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2594
Views
0
Helpful
1
Replies

Firepower Remote Access VPN Filter List

Go to solution
Bernardsiew@live.com
Level 1
Level 1

‎10-02-2018 01:52 AM - edited ‎03-12-2019 07:00 AM

Hi,

 

I have a working AnyConnect 4.6 remote access VPN solution in place on a Cisco FTD 2110 and FMC on software code 6.2.3.5. All user traffic comes via the VPN, no split-tunneling.

 

Now I want to apply a VPN Filter ACL to the group policy to restrict access to the network. It doesn't work.

 

When this extended ACL is defined, there is no ping/http/https to the LAN Servers based on DNS name or IP address. DNS resolution is working though.

Source: <remote-vpn-ip-pool>     Destination: <local-lan-server-ip>     Ports: Any        Allow

 

When the ACL is set to basically permit any, ping/http/https to servers (and everything else for that matter) works.

Source: <remote-vpn-ip-pool>     Destination: Any                                Ports: Any        Allow

 

When there is no ACL defined under the group policy, basically empty field for the VPN Filter List attribute under group policy, it works as well.

 

Seems the contents of Filter ACL is creating this issue.

 

Any ideas.

 

Regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bernardsiew@live.com
Level 1
Level 1

‎10-02-2018 02:38 AM

Discard that please. The server names configured via network objects and referenced in the ACL were incorrect. They pointed to the actual server IP rather then then the virtual IP's on them. Updating the ACL to reference the actual VIP made it work without issues. Sorry for the inconvenience.

 

Regards,

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Bernardsiew@live.com
Level 1
Level 1

‎10-02-2018 02:38 AM

Discard that please. The server names configured via network objects and referenced in the ACL were incorrect. They pointed to the actual server IP rather then then the virtual IP's on them. Updating the ACL to reference the actual VIP made it work without issues. Sorry for the inconvenience.

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card