I believe if we enable the sysopt for ipsec traffics on the FW then it wont looks for interface ACL and acl will be applied by using of vpn filter on group policy profile.
My problem is like.. the user is connected on vpn from outside and trying to download the file from inside host using scp port..
checked the syslog server and found that few abnormal deny statements, denied by inside_inbound acl, after that checked with user, he also stated the same while doing scp from the vpn IP 10.0.0.38 to destination ip 10.0.1.157 connection got freeze and customer need to reconnect to established the session. While investigating the configuration adm profile which use admin access acl permitted between these two hosts, i.e. 10.0.1.157 and 10.0.0.38 , am wondering this flow got denied by inside_inbound acl
group-policy adm-group-policy internal
group-policy adm-group-policy attributes
vpn-filter value adm-access
access-list adm-access remark Allowed Access
access-list adm-access extended permit ip 10.0.0.0 255.255.255.192 10.0.0.0 255.255.252.0
access-list adm-access extended deny ip any any log
ip local pool vpnpool 10.0.0.6-10.0.0.63 mask 255.255.252.0
ip address 220.127.116.11 255.255.255.0
ip address 10.0.0.1 255.255.252.0
access-list outside_inbound extended deny ip any any log
access-list inside_inbound extended deny ip any any log
access-group outside_inbound in interface outside
access-group inside_inbound in interface inside
Can anyone provide the resolution for this issue which be appreciate.
Please find the sysopt output
cisco# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
sysopt nodnsalias inbound
sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt noproxyarp yellow
no sysopt noproxyarp devyellow
no sysopt noproxyarp management
I see that you configured some acl for the VPN users and you have sysopt permit-vpn which is inconsistence. Because if you enable sysopt permit-vpn which permit any packets that come from an IPsec tunnel without checking any access lists for interface.
Normally if you have these below sysopt configured it would be sufficient.
sysopt connection tcpmss 1280
sysopt noproxyarp outside
sysopt noproxyarp inside
Can you give more information about your problem so that I can help further.
You are right, when the customer is connected on vpn, after that they are trying to download some file using scp sometime interface acl (inside_inbound ACL) is denied the packet which not suppose to look at the interface acl since the packet is coming from ipsec tunnel.
After that user got freeze and he need to reconnect the vpn to work.
Can you pls clarify me how inbound and outbound traffic will work on group policy profile vpn filter attributes? is like bi-directional or uni-directional ? and if you can find where this is cause the problem.