Hi all,

Cisco ASA 5516 running 9.4(4)17.

I was asked to configure the VPN connection so that based on the security group assigned to an AD user it is allowed to reach certain servers on certain ports. I tried to implement this request using DAP and the steps I followed are these:

 - I have configured AAA Ldap against Windows 2012 R2 Active Directory (and this is working fine).

 - I have configured a new pool of IP addresses

 - I have configured a new connection profiles

 - I have configured a new AnyConnect Connection Profiles (on another address in order not to create disservices)

 - I have created a new user for test (TestDAP1) on DC

 - I have assigned the security group "DAP_IP_ANY_SG" to the user TestDAP1

 - I have created this ACL "access-list DAP_IP_ANY_ACL extende permit ip any any"

 - I have configured a test DAP (the dap.xml file is in attached)

dynamic-access-policy-record DAP_TEST_ANY
network-acl DAP_IP_ANY_ACL
exit

User login TestDAP1 in VPN is successful and the result of the "debug DAP trace" command shows no errors, but I can't reach any ip of the internal network.

If I check the ACLs assigned to the VPN user TestDAP1 I see that they are correct, but the strange thing is that the hits increase when someone from the internal network tries to reach the VPN client, while they do not increase if the VPN client tries to reach an IP of the network internal .

If I look at the logs I see these messages:

I think the problem may be caused by the "no sysopt connection permit-vpn" command, but I can't find a way to fix it. You can help me?

Thanks so much,
Luciano