cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
627
Views
0
Helpful
1
Replies

How to configure for access to a AnyConnected client

Ratatosk
Level 1
Level 1

Hi! I am quite lost when it comes to how traffic coming from, and going to, an AnyConnected client is filtered. How and where do I create  rules that allows our helpdesk to connect with for example RDP, DameWare or some other remote desktop software TO a client that is connected with AnyConnect? Googling only turns up articles about configuring AnyConnect for access to the LAN, not from LAN to client.

Basically I am trying to be able to use a TFTP-server on a VPN connected client (my PC)  to upgrade the ASA since the network does not have any clients that I can install a tftp server on and the ASDM is not working, nor can I get SCP working to it for some reason. #2 in a failover pair. The above was just an example to illustrate the direction of traffic I am asking about.

We use ASA 9.2*something and ASDM 7.9.1, SSL-VPN, split-tunnel.

1 Accepted Solution

Accepted Solutions

vrostowsky
Level 5
Level 5

Bengt

Remote upgrades are never a great idea, but there are alot of variables in your question:

you will actuall be attempting to connect to the ASA inside interface via management protocols

there may be ssh connection permit and deny statement that need editing to allow SCP

Do you have "route-lookup" at the end of your VPN nat statement?

the only way to know what is limiting you would be to run packet-tracer on the ASA

packet-tracer input "inside interface" tcp "your VPN client IP" 20001 " "server ip" 3389 detailed

this will show you is there is an ACL that is restricting your access

you could also try to add a nat statement for the firewall inside interface

nat (outside, any) source static your_vpn_pool  your_vpn_pool destination static inside  inside (interface names) no-proxy-arp

HTH-


Vince

View solution in original post

1 Reply 1

vrostowsky
Level 5
Level 5

Bengt

Remote upgrades are never a great idea, but there are alot of variables in your question:

you will actuall be attempting to connect to the ASA inside interface via management protocols

there may be ssh connection permit and deny statement that need editing to allow SCP

Do you have "route-lookup" at the end of your VPN nat statement?

the only way to know what is limiting you would be to run packet-tracer on the ASA

packet-tracer input "inside interface" tcp "your VPN client IP" 20001 " "server ip" 3389 detailed

this will show you is there is an ACL that is restricting your access

you could also try to add a nat statement for the firewall inside interface

nat (outside, any) source static your_vpn_pool  your_vpn_pool destination static inside  inside (interface names) no-proxy-arp

HTH-


Vince

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: