Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
2
Replies

Bypass int acl for inbound VPN not working

rajmohan30
Level 1
Level 1

‎05-13-2020 08:04 AM

Hi,

 

Though bypass the interface acl for inbound vpn is enabled, the any-connect users are unable to reach the LAN segment behind the core. But from the ASA itself it is reachable.

 

When i checked the packet-tracer, it shows that is failed at ACL. Does it mean that it is still looking at outside interface ACL ?

 

ASA1# packet-tracer input OUTSIDE tcp x.x.x.x 5000 y.y.y.y 445

Phase: 1
Type: ROUTSIDEE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <> using egress ifc INSIDE

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INTERNAL-IP-ALL INTERNAL-IP-ALL destination static NETWORK_OBJ_10.X.X.X_25 NETWORK_OBJ_10.X.X.X_25 no-proxy-arp rOUTSIDEe-lookup
Additional Information:
NAT divert to egress interface INSIDE
Untranslate y.y.y.y/445 to y.y.y.y/445

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INTERNAL-IP-ALL INTERNAL-IP-ALL destination static NETWORK_OBJ_10.X.X.X_25 NETWORK_OBJ_10.X.X.X_25 no-proxy-arp rOUTSIDEe-lookup
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
OUTSIDEput-interface: INSIDE
OUTSIDEput-status: up
OUTSIDEput-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

Labels:
0 Helpful
2 Replies 2

Sumaiyah
Level 1
Level 1

‎05-13-2020 09:28 AM - edited ‎05-14-2020 10:07 AM

I have added the VPN-Filter to the group policy and applied that to the connection profiles walmart login for the site-to-site VPN.  VPN Traffic still does not follow through the outside interface unless I allow IPSec to bypass ACL.

0 Helpful

vsurresh
Level 1
Level 1

‎05-14-2020 05:50 AM

You will need to add "decrypted" keyword at the end of the packet-tracer command to check VPN traffic. (I think you need 9.9. code to run this option)
What happens when you add an ACL to allow the traffic from outside?
0 Helpful
Customers Also Viewed These Support Documents