Showing results for 
Search instead for 
Did you mean: 


Traffic initiated from ASA inside interface is blocked on return through VPN ACL


I am trying to control the access of 'Remote Access VPN' users to our internal network, by applying filters to the various Group Policies we have configured on our ASA. The idea being that User Group A can access one set of servers, and User Group B can access a different set of servers, allowing us to control where 3rd party users and suppliers can go within our network.

So far, this works for traffic that is initiated from the remote client, and is destined for the internal network. But it fails for traffic that is initiated within the internal network, and is destined to the remote vpn client. For example, if I try to initiate a Remote Desktop session (TCP/3389) from the internal network to the Remote VPN Client, the connection just times out, or if i try to browse the C$ of the remote system, the connection never establishes.

I have managed to get the traffic to return from the Remote VPN Client by adding an 'any any ip' rule to the ACL filter assigned to the Group Policy. Obvioulsy I don't want to use an 'any any ip' because it negates the use of filtering the traffic in the first place.

Does anyone have any ideas about what is preventing the traffic from getting back into the internal network?

I would have thought that traffic that was outbound from the inside  interface, would be able to return by default, and wouldn't need any holes  punching on the return ACL.



HTH Paul ****Please rate useful posts****
Jitendriya Athavale
Cisco Employee

so what is happening here if i undersatnd you right is you have applied vpn filter in the group policy, you want restricted access f

rom remote clients to internal network, but from internal to remote clients when initiate from inter

nal you want it to go through

this aint gonna happen currently with the way vpn filters are designed, they will not look at any connection entries

so what you can do is probabaly say permit ip any any on filter or actually remove them and put an acl on the internal interface in outbound direction restrict access from that, that way you achieve what you are trying to do about punching holes for return traffic depening on connection entries

hope it helps

Hi Jathaval,

Thanks for your response.

If the reason this doesn't work is by design, then I will try a different approach, probably restricting access from the internal to the remote vpn network as suggested.



HTH Paul ****Please rate useful posts****

hi Paul,

i am glad i could be of help...please let us know if this has helped you by rating the answer or marking this question as resolved/answered

Recognize Your Peers
Content for Community-Ad