cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

Beginner

Anyconnect client can't reach inside network; webvpn-svc implicit deny...

So, I've set up Anyconnect client access to an ASA-5510.

I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients.  I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.

fw1# show nameif

Interface                Name                     Security

Ethernet0/0.205          SECURE                  90

Ethernet0/3.666          INTERNET                    0

fw1# show int ip br

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0.205            10.1.24.1       YES CONFIG up                    up 

Ethernet0/3.666            x.x.x.x YES CONFIG up                    up 

In all cases, my anyconnect session is via the named interface "INTERNET", security-level 0.

From my client, I cannot reach 10.1.24.10.  Incidentially, the host filters out ICMP, and is only open on tcp/80.

Can anyone suggest where I should apply an access-list permitting this traffic?  I've already applied an inbound access-list to the INTERNET interface permitting all traffic from the pool assigned to the anyconnect clients. (Phase 3)

Or perhaps I've misunderstood entirely!

Any suggestions are appreciated.  packet-tracer output below...

Regards,

  Phil

fw1# packet-tracer input INTERNET tcp 10.1.6.1 5000 10.1.24.10 80 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.24.0       255.255.252.0   SECURE

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INTERNET_access_in in interface INTERNET

access-list INTERNET_access_in extended permit ip object-group SITEVPNCLIENT any

object-group network SITEVPNCLIENT

network-object 10.1.6.0 255.255.255.128

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd56823f8, priority=12, domain=permit, deny=false

hits=384, user_data=0xd554ac08, cs_id=0x0, flags=0x0, protocol=0

src ip=10.1.6.0, mask=255.255.255.128, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd61a0308, priority=7, domain=conn-set, deny=false

hits=1359, user_data=0xd619d118, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd55fdfe0, priority=0, domain=permit-ip-option, deny=true

hits=203456, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd616b8c0, priority=79, domain=punt, deny=true

hits=21, user_data=0xd4e82e08, cs_id=0x0, flags=0x0, protocol=0

src ip=10.1.6.1, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd51eac48, priority=70, domain=svc-ib-tunnel-flow, deny=false

hits=83, user_data=0x5000, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.1.6.1, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: INTERNET

input-status: up

input-line-status: up

output-interface: SECURE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Who Me Too'd this topic