Anyconnect may be using 443 to establish VPN. Try adding:
deny tcp any 172.26.20.0 0.0.0.255 eq 443
deny tcp any 172.26.21.0 0.0.0.255 eq 443
deny tcp 172.26.20.0 0.0.0.255 any eq 443
deny tcp 172.26.21.0 0.0.0.255 any eq 443
| Cisco AnyConnect Client Port |
---|
TLS (SSL) | TCP 443 |
SSL Redirection | TCP 80 (optional) |
DTLS | UDP 443 (optional, but highly recommended) |
IPsec/IKEv2 | UDP 500, UDP 4500 |
Obviously, the acl entries are just for example. You'll need to take into account where the vpn traffic is terminating and specify that host. For example:
deny tcp host <VPN host IP> 172.26.20.0 0.0.0.255 eq 443
deny tcp host <VPN host IP> 172.26.21.0 0.0.0.255 eq 443
deny tcp 172.26.20.0 0.0.0.255 host <VPN host IP> eq 443
deny tcp 172.26.21.0 0.0.0.255 host <VPN host IP> eq 443
If you don't, you'll block normal ssl traffic.
HTH,
John
HTH,
John
*** Please rate all useful posts ***