05-13-2020 08:04 AM
Hi,
Though bypass the interface acl for inbound vpn is enabled, the any-connect users are unable to reach the LAN segment behind the core. But from the ASA itself it is reachable.
When i checked the packet-tracer, it shows that is failed at ACL. Does it mean that it is still looking at outside interface ACL ?
ASA1# packet-tracer input OUTSIDE tcp x.x.x.x 5000 y.y.y.y 445
Phase: 1
Type: ROUTSIDEE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <> using egress ifc INSIDE
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INTERNAL-IP-ALL INTERNAL-IP-ALL destination static NETWORK_OBJ_10.X.X.X_25 NETWORK_OBJ_10.X.X.X_25 no-proxy-arp rOUTSIDEe-lookup
Additional Information:
NAT divert to egress interface INSIDE
Untranslate y.y.y.y/445 to y.y.y.y/445
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INTERNAL-IP-ALL INTERNAL-IP-ALL destination static NETWORK_OBJ_10.X.X.X_25 NETWORK_OBJ_10.X.X.X_25 no-proxy-arp rOUTSIDEe-lookup
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
OUTSIDEput-interface: INSIDE
OUTSIDEput-status: up
OUTSIDEput-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
05-13-2020 09:28 AM - edited 05-14-2020 10:07 AM
I have added the VPN-Filter to the group policy and applied that to the connection profiles walmart login for the site-to-site VPN. VPN Traffic still does not follow through the outside interface unless I allow IPSec to bypass ACL.
05-14-2020 05:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide