- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2020 08:52 AM
Hi all,
Cisco ASA 5516 running 9.4(4)17.
I was asked to configure the VPN connection so that based on the security group assigned to an AD user it is allowed to reach certain servers on certain ports. I tried to implement this request using DAP and the steps I followed are these:
- I have configured AAA Ldap against Windows 2012 R2 Active Directory (and this is working fine).
- I have configured a new pool of IP addresses
- I have configured a new connection profiles
- I have configured a new AnyConnect Connection Profiles (on another address in order not to create disservices)
- I have created a new user for test (TestDAP1) on DC
- I have assigned the security group "DAP_IP_ANY_SG" to the user TestDAP1
- I have created this ACL "access-list DAP_IP_ANY_ACL extende permit ip any any"
- I have configured a test DAP (the dap.xml file is in attached)
dynamic-access-policy-record DAP_TEST_ANY
network-acl DAP_IP_ANY_ACL
exit
User login TestDAP1 in VPN is successful and the result of the "debug DAP trace" command shows no errors, but I can't reach any ip of the internal network.
If I check the ACLs assigned to the VPN user TestDAP1 I see that they are correct, but the strange thing is that the hits increase when someone from the internal network tries to reach the VPN client, while they do not increase if the VPN client tries to reach an IP of the network internal .
If I look at the logs I see these messages:
I think the problem may be caused by the "no sysopt connection permit-vpn" command, but I can't find a way to fix it. You can help me?
Thanks so much,
Luciano
Solved! Go to Solution.
- Labels:
-
AnyConnect
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2020 01:49 AM
Hi Muhamad,
Thanks for the reply!
NAT and split tunneling are correct.
I found the solution, because of the command "no sysopt connection permit-vpn" I had to insert the permission in the outside ACL for the new Pool VPN.
Access requests now pass first through the outside ACL and then are handled by the ACL associated with the DAP.
Kind regards,
Luciano
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2020 10:02 AM
Hi,
Did you add identity NAT for the traffic defined as interesting traffic in split tunnels ?
If not then you need add that to make your LAN access work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2020 01:49 AM
Hi Muhamad,
Thanks for the reply!
NAT and split tunneling are correct.
I found the solution, because of the command "no sysopt connection permit-vpn" I had to insert the permission in the outside ACL for the new Pool VPN.
Access requests now pass first through the outside ACL and then are handled by the ACL associated with the DAP.
Kind regards,
Luciano
