H BB,

thanks for the suggestion but I already have that in place

Thanks AZ,

1) I have installed wireshark on the PC and the traffic isn't even making it so the Firewall must be dropping

2) No split tunneling in this situation - everything is being tunneled

3) No DAP policy present

4) Already in place

Thanks for the suggestions

I feel that problem in NAT. But do not able understand where is it.

Do you able to provide full config?

Hi AZ,

I can't post the whole config unfortunately.

The NAT around the anyconnect is as follows

global PAT

object network ANYCONNECT-STAFF-POOL
nat (OUTSIDE,OUTSIDE) dynamic interface

NONAT

nat (OUTSIDE,OUTSIDE) source static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL destination static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL no-proxy-arp route-lookup

the thing that is really throwing me off is the anyconnect access list - even though I have allowed the traffic ASDM tells me the same access list is dropping it

access-list SSL-STAFF_ACCESS extended permit ip host 10.68.150.75 any

4 Mar 30 2020 09:23:05 106103 access-list SSL-STAFF_ACCESS denied tcp for user '****' OUTSIDE/10.68.150.75(50296) -> OUTSIDE/10.68.150.56(5900) hit-cnt 1 first hit [0x7d4dcd45, 0x0]

I do have a case with TAC at the moment but they are pretty stumped also and in light of whats happening in the world pretty slow to respond (understandable though)

I'll update the post once I get an answer

Cheers

Hi,

   Where and how is that ACL enforced? 

Regards,

Cristian Matei.

Hi,

    Can you post the output of the following "show run all same", "show run all sysopt", "show run access-group", "show access-list xyz", " show run group-policy xyz", "show run nat", "show run ip local pool".

Regards,

Cristian Matei.

Thanks Cristian,

I would rather not post all from show run nat - if there is something specific you are looking for let me know. From the NAT side this is line 1 of the nonat so it will be hit first

nat (OUTSIDE,OUTSIDE) source static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL destination static ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL no-proxy-arp route-lookup

and this is the PAT for the group

object network ANYCONNECT-STAFF-POOL
nat (OUTSIDE,OUTSIDE) dynamic interface

here are the rest of the commands

show run all same
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

show run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp SERVICES
no sysopt noproxyarp OUTSIDE
no sysopt noproxyarp MANAGED
no sysopt noproxyarp MULTIMEDIA
no sysopt noproxyarp inside
no sysopt noproxyarp HOSTING
no sysopt noproxyarp GUEST-WIFI
no sysopt noproxyarp WLL
no sysopt noproxyarp DMZ
no sysopt noproxyarp MERAKI-DMZ

access-group OUTSIDE_IN in interface OUTSIDE
access-group MANAGED-ACCESS_IN in interface MANAGED
access-group INSIDE_OUT in interface inside
access-group HOSTING in interface HOSTING
access-group WLL_OUT in interface WLL
access-group DMZ in interface DMZ
access-group MERAKI-DMZ-IN in interface MERAKI-DMZ

Show run access-list
access-list SSL-STAFF_ACCESS extended permit ip host 10.68.150.75 any
access-list SSL-STAFF_ACCESS extended permit ip ANYCONNECT-STAFF-POOL host 172.30.80.81
access-list SSL-STAFF_ACCESS extended permit ip ANYCONNECT-STAFF-POOL 172.20.0.0 255.255.0.0
access-list SSL-STAFF_ACCESS extended permit tcp ANYCONNECT-STAFF-POOL host 10.68.0.2 eq 3389
access-list SSL-STAFF_ACCESS extended permit tcp ANYCONNECT-STAFF-POOL host 10.68.0.1 eq 3389
access-list SSL-STAFF_ACCESS extended permit ip ANYCONNECT-STAFF-POOL host 172.30.80.37
access-list SSL-STAFF_ACCESS extended permit ip object ANYCONNECT-STAFF-POOL object LAN-IPs
access-list SSL-STAFF_ACCESS extended permit tcp object-group ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL object-group VNC_PORTS
access-list SSL-STAFF_ACCESS extended permit ip ANYCONNECT-STAFF-POOL host 172.30.80.80
access-list SSL-STAFF_ACCESS remark *** Allow Teamviwer ***
access-list SSL-STAFF_ACCESS extended permit tcp ANYCONNECT-STAFF-POOL any eq 5938
access-list SSL-STAFF_ACCESS extended permit udp ANYCONNECT-STAFF-POOL any eq 5938
access-list SSL-STAFF_ACCESS extended permit icmp object-group ANYCONNECT-STAFF-POOL ANYCONNECT-STAFF-POOL
access-list SSL-STAFF_ACCESS extended deny ip any any

show run group-policy GP-AC-STAFF
group-policy GP-AC-STAFF internal
group-policy GP-AC-STAFF attributes
banner value Warning:
banner value This system is restricted to authorized users for business purposes only and is subject to the Security Policy.
banner value Unauthorized access or use is a violation of company policy and the law.
banner value
banner value This system may be monitored for administrative and security reasons.
banner value By proceeding, you acknowledge that you have read and understand this notice and you consent to the system monitoring.
wins-server none
dns-server value 10.68.0.111 10.68.0.112
vpn-simultaneous-logins 3
vpn-idle-timeout 20
vpn-filter value SSL-STAFF_ACCESS
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value *******
split-dns value *****
msie-proxy server value 10.68.0.241:8080
msie-proxy method use-server
msie-proxy except-list value *************
msie-proxy local-bypass enable
msie-proxy lockdown disable
webvpn
anyconnect ssl dtls none
anyconnect dtls compression none
anyconnect ssl df-bit-ignore enable

ip local pool STAFF-SSL 10.68.150.25-10.68.150.200 mask 255.255.255.0

Hi,

   I just wanna make sure that i understood correctly. Everything works fine except for Anyconnect to Anyconnect traffic, correct? Can you try the following:

         1. Remove the VPN filter, this should impose no restrictions, and AC to AC should work, just to confirm

         2. Reapply the filter, as follows (i created another object, as i was not sure of the one you're using, if it has the correct mask/range specified); for the new filter to be correctly applied in the ASP path, you would need to reconnect the AC sessions:

no access-list SSL-STAFF_ACCESS extended permit ip host 10.68.150.75 any

!

object network VPN_POOL

 subnet 10.68.150.0 255.255.255.0

!

access-list SSL-STAFF_ACCESS line 1 extended permit ip object VPN_POOL object VPN_POOL

   Does it work? If not, can you disconnect the users, enable the following debug "debug acl filter", reconnect the users and post the debug output and the output of the following: "show asp table filter hits", "show asp table filter access-list SSL-STAFF_ACCESS", "show vpn-sessiondb detail anyconnect".

Regards,

Cristian Matei.

Hi Cristian,

that is correct - Anyconnect to LAN / LAN to Anyconnect are all fine - just anyconnect to anyconnect is the issue

I have a lot of users using anyconnect at the moment so am reluctant to remove filters and kick people out. I will attempt your suggestions this evening outside of working hours and post back with the results

thanks for the suggestions

Gary

Hi Cristian,

I didnt get sign off from business to test last night so couldnt carry out the testing.

I got a remote session with Cisco this morning on the issue. It turns out the access list is ignoring TCP allows. This does not work but sticking in an IP rule does. Engineer was an Anyconnect VPN engineer and was not sure why so the case has been escalated to the Firewall team for further investigation.

TCP rule

access-list SSL-STAFF_ACCESS extended permit tcp object-group ANYCONNECT-STAFF-POOL object-group ANYCONNECT-STAFF-POOL object-group VNC_PORTS

IP rule

access-list SSL-STAFF_ACCESS extended permit ip object-group ANYCONNECT-STAFF-POOL object-group ANYCONNECT-STAFF-POOL

regards

Hi,

    Are you saying that the VPN Filter ACL haha s to contain IP only statements? I consider this to be a false statement, as VPN filter functionality was pretty much designed to restrict VPN traffic at layer4, since you can only push network routes to the remote VPN client, as in the routing table you can't install TCP or UDP routes. What i'm trying to say is that regardless if you use split-tunnelling or full-tunnelling, you push over to remote AnyConnect some network routes, and the only way to filter the IP traffic within the tunnel is via the VPN filter, where you are allowed to use TCP/UDP statements.

  In your case, since you want to allow all IP traffic, it makes sense to use IP statements, but not because TCP/UDP statements in VPN filter are ignored. This is not true and look like a bug.

Regards,

Cristian Matei.

Hi Cristian,

I think you misunderstood me. I didnt say you cannot use them but that they are not working for me.

I also think this is a bug on my Firewall.

Its with Cisco Firewall team now anyway and they will inform me what they find.

Thanks for the suggestions all the same

regards