cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4304
Views
13
Helpful
7
Replies

How to allow access into VPN Filter

Mohamed Hamid
Level 1
Level 1

Hi Guys

I have a quick question.

I have a VPN filter applied to my VPN group policy on network 192.16.1.0/24

I would like a management server sitting on 10.0.0.0/23 network to VNC and have specified access to users who are VPNed.

In the VPN ACL I allowed the server which is 10.0.0.11 access to 192.16.1.0/24 on port tcp/5900 but I in the logs I see that it is denied with

access-list vpnACL denied tcp for user <'unknown'> serverNetwork/10.0.0.11(57582) -> dmzinterface/192.16.1.88(5900) hit-cnt 1

What is the solution to this problem?

Your help is much appreciated

Kind Regards

7 Replies 7

Good day Mohamed,

Are you defining the VPN filter under the group-policy settings of the specific connectio profile?

The crypto ACL should not include any ports, only IP (recommended).

Please check this out:


PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access

Let me know if you have any questions.

Portu.

Please rate any post you find useful.

Hi Javier

Yes I am defining the VPN filter in group policy on a connection profile

In that ACL I have specified the access requirements for VPN users i.e file access and printer access to print servers.

What I would like i to allow access into the vpn tunnel as I have a management server that needs tcp/5900 and tcp/3283

Ok, so we need to make sure we have a good understanding of how the VPN filter works:

1- VPN filters check inbound connections.

So:

Local network: 192.168.1.0/24

Remote network: 192.168.2.0/24

To allow RDP on the VPN filter:

In case the remote site is initiating the TCP connection to your servers on port 3389.

access-list VPN_FILTER permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 3389

In case the local site is initiating the TCP connection to the remote servers on port 3389.

access-list VPN_FILTER permit tcp 192.168.2.0 255.255.255.0 eq 3389 192.168.1.0 255.255.255.0

Let me know.

Thanks.

Please rate any post you find useful.

Hi Javier

Sorry did not quite understand the above.

I am mainly using the ASDM, in the group policy I have applied the IPv4 filter using an ACL that i created to specifiy required access for outbound vpn connections.

The problem is defining inbound connections to the VPN range...

In the vpn filter I have specified to allow access from management server into vpn network.. but in the logs I see that it is denied getting denied by the vpn filter each time it tries to initiate a remote session into a user who is vpned

At this point I would need to check out your settings.

Could you please include the following?

1- group-policy, "show run group-policy xxxx"

2- The ACL used as a filter: "show access-list xxxx"

3- Local network.

4- Remote network.

5- Specific port and protocol.

6- Who initiates the connection? Local or Remote?

Thanks.

Hi Javier

1)

asa-L# show run group-policy VPN-1_1

group-policy VPN-1_1 internal

group-policy VPN-1_1 attributes

wins-server none

dns-server value 10.0.0.24 10.0.0.25

vpn-filter value vpnACL

vpn-tunnel-protocol IPSec svc webvpn

default-domain value xxx

msie-proxy server value 162.16.9.15:8080

msie-proxy method use-server

msie-proxy local-bypass enable

webvpn

  svc ask none default svc

asa-L#

2)

asa-L# show access-list vpnACL

access-list vpnACL; 33 elements; name hash: 0x5c97374a

access-list vpnACL line 1 extended permit ip host MDM02 vpnNET 255.255.255.0 (hitcnt=0) 0x4524d9e0

access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 object-group proxy 0x21fb8071

  access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 eq 1080 (hitcnt=824) 0x9720c243

  access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 eq 8080 (hitcnt=70062) 0x67f7ae94

access-list vpnACL line 3 remark Users Printer Access to CUPS

access-list vpnACL line 4 extended permit object-group DM_INLINE_SERVICE_28 vpnNET 255.255.255.0 host il2Puppet 0x810f7ce9

  access-list vpnACL line 4 extended permit tcp vpnNET 255.255.255.0 host il2Puppet eq 631 (hitcnt=0) 0x2f725813

  access-list vpnACL line 4 extended permit udp vpnNET 255.255.255.0 host il2Puppet eq snmp (hitcnt=1) 0xf9668cab

access-list vpnACL line 5 extended permit object-group DM_INLINE_SERVICE_29 vpnNET 255.255.255.0 host MDM02 0x2276e069

  access-list vpnACL line 5 extended permit tcp vpnNET 255.255.255.0 host MDM02 eq 3283 (hitcnt=0) 0x98e6ccc6

  access-list vpnACL line 5 extended permit tcp vpnNET 255.255.255.0 host MDM02 eq 5900 (hitcnt=0) 0x53ef8d06

  access-list vpnACL line 5 extended permit udp vpnNET 255.255.255.0 host MDM02 eq 3283 (hitcnt=20) 0x9da32c32

  access-list vpnACL line 5 extended permit icmp vpnNET 255.255.255.0 host MDM02 (hitcnt=99) 0x3cbe73ab

  access-list vpnACL line 5 extended permit udp vpnNET 255.255.255.0 host MDM02 eq 5900 (hitcnt=0) 0xb8ad1340

access-list vpnACL line 6 extended permit object-group DM_INLINE_SERVICE_26 vpnNET 255.255.255.0 host AH1-SVR-CAN1 0x41cc1556

  access-list vpnACL line 6 extended permit tcp vpnNET 255.255.255.0 host AH1-SVR-CAN1 eq lpd (hitcnt=7) 0x98b74e1d

  access-list vpnACL line 6 extended permit udp vpnNET 255.255.255.0 host AH1-SVR-CAN1 eq snmp (hitcnt=14) 0x2f517698

access-list vpnACL line 7 extended permit object-group DM_INLINE_SERVICE_27 vpnNET 255.255.255.0 object-group il2AHdirsvr 0x619f3308

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq kerberos (hitcnt=0) 0x27c35d0f

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq kerberos (hitcnt=0) 0x5a508170

  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq kerberos (hitcnt=0) 0x45de38af

  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq kerberos (hitcnt=0) 0xb658a5b4

  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq domain (hitcnt=8091) 0xf1ccef4f

  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq domain (hitcnt=42074) 0xc3128476

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq ldap (hitcnt=605) 0xf5819171

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq ldap (hitcnt=936) 0x84cddf3c

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 88 (hitcnt=14) 0x61e385a6

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 88 (hitcnt=20) 0x3f738f97

  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq 88 (hitcnt=111) 0x5d3bdaa2

  access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq 88 (hitcnt=461) 0xe1412727

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 549 (hitcnt=30) 0x36cecf23

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 549 (hitcnt=2) 0x993d09ef

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 548 (hitcnt=0) 0xe6575e39

  access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 548 (hitcnt=15) 0xbe5ac037

  access-list vpnACL line 7 extended permit icmp vpnNET 255.255.255.0 host ldap2 (hitcnt=12) 0x07e39153

  access-list vpnACL line 7 extended permit icmp vpnNET 255.255.255.0 host ldap1 (hitcnt=3441) 0x5e0594ae

access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 object-group DM_INLINE_NETWORK_9 eq 8014 0xc797e1c2

  access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 host Syman1 eq 8014 (hitcnt=8924) 0xb1ec699c

  access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 host Syman2 eq 8014 (hitcnt=2163) 0x8250bef2

access-list vpnACL line 9 extended deny ip any any (hitcnt=30022) 0xe47d62bc

asa-L#

3) Local Network is  officeNetwork which is an interface on the ASA.. MDM02 sits in this network

4) Remote network is vpnNET

5) The connection is initiated by MDM02 into vpnNET

Im think your confusion is because a VPN-Filter uses a different logic then a "normal" ACL.

In an ACL you specify:

ACTION PROT  SOURCE-L3 SOURCE-L4 DEST-L3 DEST-L4

i.e.

permit tcp   host 1.1.1.1 gt 1023   host 2.2.2.2 eq 80

But the Logic of the VPN-Filter is:

ACTION PROT  REMOTE-L3 REMOTE-L4 LOCAL-L3 LOCAL-L4

So there is no source or destination. Every access (inbound or outbound) has to use this logic of remote and local instead of source and destination.

In ASDM that is quite complicated as the ASDM is not aware of this. For outbound connections you have to specify the real destination port (which is remote) as a source-port in ASDM, because that is what will be the remote-port.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni