02-08-2018 10:00 AM
Hi! I am quite lost when it comes to how traffic coming from, and going to, an AnyConnected client is filtered. How and where do I create rules that allows our helpdesk to connect with for example RDP, DameWare or some other remote desktop software TO a client that is connected with AnyConnect? Googling only turns up articles about configuring AnyConnect for access to the LAN, not from LAN to client.
Basically I am trying to be able to use a TFTP-server on a VPN connected client (my PC) to upgrade the ASA since the network does not have any clients that I can install a tftp server on and the ASDM is not working, nor can I get SCP working to it for some reason. #2 in a failover pair. The above was just an example to illustrate the direction of traffic I am asking about.
We use ASA 9.2*something and ASDM 7.9.1, SSL-VPN, split-tunnel.
Solved! Go to Solution.
02-09-2018 06:52 AM
Bengt
Remote upgrades are never a great idea, but there are alot of variables in your question:
you will actuall be attempting to connect to the ASA inside interface via management protocols
there may be ssh connection permit and deny statement that need editing to allow SCP
Do you have "route-lookup" at the end of your VPN nat statement?
the only way to know what is limiting you would be to run packet-tracer on the ASA
packet-tracer input "inside interface" tcp "your VPN client IP" 20001 " "server ip" 3389 detailed
this will show you is there is an ACL that is restricting your access
you could also try to add a nat statement for the firewall inside interface
nat (outside, any) source static your_vpn_pool your_vpn_pool destination static inside inside (interface names) no-proxy-arp
HTH-
Vince
02-09-2018 06:52 AM
Bengt
Remote upgrades are never a great idea, but there are alot of variables in your question:
you will actuall be attempting to connect to the ASA inside interface via management protocols
there may be ssh connection permit and deny statement that need editing to allow SCP
Do you have "route-lookup" at the end of your VPN nat statement?
the only way to know what is limiting you would be to run packet-tracer on the ASA
packet-tracer input "inside interface" tcp "your VPN client IP" 20001 " "server ip" 3389 detailed
this will show you is there is an ACL that is restricting your access
you could also try to add a nat statement for the firewall inside interface
nat (outside, any) source static your_vpn_pool your_vpn_pool destination static inside inside (interface names) no-proxy-arp
HTH-
Vince
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: