Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
0
Helpful
1
Replies

ASA5510 - Accessing Anyconnect via other local Interface

sjcalba
Level 1
Level 1

‎12-02-2012 11:57 PM - edited ‎02-21-2020 06:31 PM

Hello - I hope someone can help.

I have a scenario where there is an ASA5510 configured as follows:

Interface0 = Outside

Interface1 = LAN

Interface2 = DMZ

Interface3 = unused

Running ASA version 8.2[1]

All network operations are fine, as are the IPSEC tunnels to other branch offices, and the incoming SSL VPN accessed via the IP address assigned to the external adapter.

My problem is that I have a device on the DMZ that needs to access the AnyConnect service hosted on the external adapter so that it can access LAN resources.  When I try accessing it, I see the following errors appearing in the debug log:

3Dec 03 201212:10:50710003[DMZ client address]51031[AnyConnect ExternalAddress]443TCP access denied by ACL from [DMZ client address]/51031 to DMZ:[AnyConnect ExternalAddress]/443

If you look closely, it suggests an ACL issue from the DMZ client to the external AnyConnect IP address BUT it suggests the Anyconnect IP address is on the DMZ interface.

Has anyone seen this before? 

Thanks in advance for any help.

Labels:
0 Helpful
1 Reply 1

anujsharma85
Level 1
Level 1

‎12-06-2012 12:34 PM

In this scenario, you will have to enable Anyconnect on the DMZ interface for letting DMZ users to establish an Anyconnect tunnel and allow access of LAN resources since from DMZ or any other LAN interface you cannot directly VPN on External interface.

For reference, check https://supportforums.cisco.com/message/3801168#3801168 as similar discussion has happened in it as well.

Regards,

Anuj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents