03-27-2020 11:49 AM
Hello All,
We have enabled sysopt permit vpn to bypass the external ACL for cisco anyconnect vpn but there is weird thing happened when the packet-tracer was always checking the external acl and never the vpn-filter in the group policy.
Why i think this is weird because i can see in the "sh conn" logs for vpn users having successfully connected to the internal resources.
Solved! Go to Solution.
03-28-2020 02:33 PM
What I am saying is that you cannot use packet-tracer to test VPN connections on the outside interface (or whatever the ingress interface is called). The only time a packet-tracer will work for VPN if the source is the inside interface and IP with a destination of an IP at the remote end of the VPN tunnel.
And, yes, packet-tracer will always evaluate the interface ACL as it is part of the order of operations for when a packet enters and leaves an interface.
03-28-2020 06:57 AM
Packet-tracer is used to test through the box traffic so the outside ACL will always be checked when using packet-tracer. VPN is to the box and packet tracer cannot be used to test a VPN connection on the ingress interface, in this case the outside interface.
03-28-2020 01:57 PM
03-28-2020 02:33 PM
What I am saying is that you cannot use packet-tracer to test VPN connections on the outside interface (or whatever the ingress interface is called). The only time a packet-tracer will work for VPN if the source is the inside interface and IP with a destination of an IP at the remote end of the VPN tunnel.
And, yes, packet-tracer will always evaluate the interface ACL as it is part of the order of operations for when a packet enters and leaves an interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide