Traffic initiated from ASA inside interface is blocked on return through VPN ACL
I am trying to control the access of 'Remote Access VPN' users to our internal network, by applying filters to the various Group Policies we have configured on our ASA. The idea being that User Group A can access one set of servers, and User Group B can access a different set of servers, allowing us to control where 3rd party users and suppliers can go within our network.
So far, this works for traffic that is initiated from the remote client, and is destined for the internal network. But it fails for traffic that is initiated within the internal network, and is destined to the remote vpn client. For example, if I try to initiate a Remote Desktop session (TCP/3389) from the internal network to the Remote VPN Client, the connection just times out, or if i try to browse the C$ of the remote system, the connection never establishes.
I have managed to get the traffic to return from the Remote VPN Client by adding an 'any any ip' rule to the ACL filter assigned to the Group Policy. Obvioulsy I don't want to use an 'any any ip' because it negates the use of filtering the traffic in the first place.
Does anyone have any ideas about what is preventing the traffic from getting back into the internal network?
I would have thought that traffic that was outbound from the inside interface, would be able to return by default, and wouldn't need any holes punching on the return ACL.
so what is happening here if i undersatnd you right is you have applied vpn filter in the group policy, you want restricted access f
rom remote clients to internal network, but from internal to remote clients when initiate from inter
nal you want it to go through
this aint gonna happen currently with the way vpn filters are designed, they will not look at any connection entries
so what you can do is probabaly say permit ip any any on filter or actually remove them and put an acl on the internal interface in outbound direction restrict access from that, that way you achieve what you are trying to do about punching holes for return traffic depening on connection entries
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Juniper EX 2300 switch to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnec...
At the core of the new Firewall Threat Defense (FTD) software version 7.x, Snort 3 provides faster and superior threat protection and performance, includes better SecureX integration so SecOPS teams can quickly pivot and correlate events from multiple pr...
This article describes the set of logs that can be verified related to SI feeds, starting from configuring to periodic updates.
The information in this document is based on Cisco FMC and FTD that runs software Version 6.6.5 or later.
pxGrid Integration with Cisco StealthWatch using Microsoft CAObjectiveThis blog will help the readers to configure their Cisco StealthWatch (7.X) and Cisco ISE appliance over pxGrid. What is pxGrid?Cisco pxGrid provides a unified framework that enabl...