09-10-2012 05:58 AM
Hi Guys
I have a quick question.
I have a VPN filter applied to my VPN group policy on network 192.16.1.0/24
I would like a management server sitting on 10.0.0.0/23 network to VNC and have specified access to users who are VPNed.
In the VPN ACL I allowed the server which is 10.0.0.11 access to 192.16.1.0/24 on port tcp/5900 but I in the logs I see that it is denied with
access-list vpnACL denied tcp for user <'unknown'> serverNetwork/10.0.0.11(57582) -> dmzinterface/192.16.1.88(5900) hit-cnt 1
What is the solution to this problem?
Your help is much appreciated
Kind Regards
09-10-2012 06:12 AM
Good day Mohamed,
Are you defining the VPN filter under the group-policy settings of the specific connectio profile?
The crypto ACL should not include any ports, only IP (recommended).
Please check this out:
Let me know if you have any questions.
Portu.
Please rate any post you find useful.
09-10-2012 06:15 AM
Hi Javier
Yes I am defining the VPN filter in group policy on a connection profile
In that ACL I have specified the access requirements for VPN users i.e file access and printer access to print servers.
What I would like i to allow access into the vpn tunnel as I have a management server that needs tcp/5900 and tcp/3283
09-10-2012 06:34 AM
Ok, so we need to make sure we have a good understanding of how the VPN filter works:
1- VPN filters check inbound connections.
So:
Local network: 192.168.1.0/24
Remote network: 192.168.2.0/24
To allow RDP on the VPN filter:
In case the remote site is initiating the TCP connection to your servers on port 3389.
access-list VPN_FILTER permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 3389
In case the local site is initiating the TCP connection to the remote servers on port 3389.
access-list VPN_FILTER permit tcp 192.168.2.0 255.255.255.0 eq 3389 192.168.1.0 255.255.255.0
Let me know.
Thanks.
Please rate any post you find useful.
09-10-2012 06:55 AM
Hi Javier
Sorry did not quite understand the above.
I am mainly using the ASDM, in the group policy I have applied the IPv4 filter using an ACL that i created to specifiy required access for outbound vpn connections.
The problem is defining inbound connections to the VPN range...
In the vpn filter I have specified to allow access from management server into vpn network.. but in the logs I see that it is denied getting denied by the vpn filter each time it tries to initiate a remote session into a user who is vpned
09-10-2012 07:27 AM
At this point I would need to check out your settings.
Could you please include the following?
1- group-policy, "show run group-policy xxxx"
2- The ACL used as a filter: "show access-list xxxx"
3- Local network.
4- Remote network.
5- Specific port and protocol.
6- Who initiates the connection? Local or Remote?
Thanks.
09-10-2012 07:41 AM
Hi Javier
1)
asa-L# show run group-policy VPN-1_1
group-policy VPN-1_1 internal
group-policy VPN-1_1 attributes
wins-server none
dns-server value 10.0.0.24 10.0.0.25
vpn-filter value vpnACL
vpn-tunnel-protocol IPSec svc webvpn
default-domain value xxx
msie-proxy server value 162.16.9.15:8080
msie-proxy method use-server
msie-proxy local-bypass enable
webvpn
svc ask none default svc
asa-L#
2)
asa-L# show access-list vpnACL
access-list vpnACL; 33 elements; name hash: 0x5c97374a
access-list vpnACL line 1 extended permit ip host MDM02 vpnNET 255.255.255.0 (hitcnt=0) 0x4524d9e0
access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 object-group proxy 0x21fb8071
access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 eq 1080 (hitcnt=824) 0x9720c243
access-list vpnACL line 2 extended permit tcp vpnNET 255.255.255.0 host 162.16.9.15 eq 8080 (hitcnt=70062) 0x67f7ae94
access-list vpnACL line 3 remark Users Printer Access to CUPS
access-list vpnACL line 4 extended permit object-group DM_INLINE_SERVICE_28 vpnNET 255.255.255.0 host il2Puppet 0x810f7ce9
access-list vpnACL line 4 extended permit tcp vpnNET 255.255.255.0 host il2Puppet eq 631 (hitcnt=0) 0x2f725813
access-list vpnACL line 4 extended permit udp vpnNET 255.255.255.0 host il2Puppet eq snmp (hitcnt=1) 0xf9668cab
access-list vpnACL line 5 extended permit object-group DM_INLINE_SERVICE_29 vpnNET 255.255.255.0 host MDM02 0x2276e069
access-list vpnACL line 5 extended permit tcp vpnNET 255.255.255.0 host MDM02 eq 3283 (hitcnt=0) 0x98e6ccc6
access-list vpnACL line 5 extended permit tcp vpnNET 255.255.255.0 host MDM02 eq 5900 (hitcnt=0) 0x53ef8d06
access-list vpnACL line 5 extended permit udp vpnNET 255.255.255.0 host MDM02 eq 3283 (hitcnt=20) 0x9da32c32
access-list vpnACL line 5 extended permit icmp vpnNET 255.255.255.0 host MDM02 (hitcnt=99) 0x3cbe73ab
access-list vpnACL line 5 extended permit udp vpnNET 255.255.255.0 host MDM02 eq 5900 (hitcnt=0) 0xb8ad1340
access-list vpnACL line 6 extended permit object-group DM_INLINE_SERVICE_26 vpnNET 255.255.255.0 host AH1-SVR-CAN1 0x41cc1556
access-list vpnACL line 6 extended permit tcp vpnNET 255.255.255.0 host AH1-SVR-CAN1 eq lpd (hitcnt=7) 0x98b74e1d
access-list vpnACL line 6 extended permit udp vpnNET 255.255.255.0 host AH1-SVR-CAN1 eq snmp (hitcnt=14) 0x2f517698
access-list vpnACL line 7 extended permit object-group DM_INLINE_SERVICE_27 vpnNET 255.255.255.0 object-group il2AHdirsvr 0x619f3308
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq kerberos (hitcnt=0) 0x27c35d0f
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq kerberos (hitcnt=0) 0x5a508170
access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq kerberos (hitcnt=0) 0x45de38af
access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq kerberos (hitcnt=0) 0xb658a5b4
access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq domain (hitcnt=8091) 0xf1ccef4f
access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq domain (hitcnt=42074) 0xc3128476
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq ldap (hitcnt=605) 0xf5819171
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq ldap (hitcnt=936) 0x84cddf3c
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 88 (hitcnt=14) 0x61e385a6
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 88 (hitcnt=20) 0x3f738f97
access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap2 eq 88 (hitcnt=111) 0x5d3bdaa2
access-list vpnACL line 7 extended permit udp vpnNET 255.255.255.0 host ldap1 eq 88 (hitcnt=461) 0xe1412727
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 549 (hitcnt=30) 0x36cecf23
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 549 (hitcnt=2) 0x993d09ef
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap2 eq 548 (hitcnt=0) 0xe6575e39
access-list vpnACL line 7 extended permit tcp vpnNET 255.255.255.0 host ldap1 eq 548 (hitcnt=15) 0xbe5ac037
access-list vpnACL line 7 extended permit icmp vpnNET 255.255.255.0 host ldap2 (hitcnt=12) 0x07e39153
access-list vpnACL line 7 extended permit icmp vpnNET 255.255.255.0 host ldap1 (hitcnt=3441) 0x5e0594ae
access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 object-group DM_INLINE_NETWORK_9 eq 8014 0xc797e1c2
access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 host Syman1 eq 8014 (hitcnt=8924) 0xb1ec699c
access-list vpnACL line 8 extended permit tcp vpnNET 255.255.255.0 host Syman2 eq 8014 (hitcnt=2163) 0x8250bef2
access-list vpnACL line 9 extended deny ip any any (hitcnt=30022) 0xe47d62bc
asa-L#
3) Local Network is officeNetwork which is an interface on the ASA.. MDM02 sits in this network
4) Remote network is vpnNET
5) The connection is initiated by MDM02 into vpnNET
09-10-2012 07:37 AM
Im think your confusion is because a VPN-Filter uses a different logic then a "normal" ACL.
In an ACL you specify:
ACTION PROT SOURCE-L3 SOURCE-L4 DEST-L3 DEST-L4
i.e.
permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 80
But the Logic of the VPN-Filter is:
ACTION PROT REMOTE-L3 REMOTE-L4 LOCAL-L3 LOCAL-L4
So there is no source or destination. Every access (inbound or outbound) has to use this logic of remote and local instead of source and destination.
In ASDM that is quite complicated as the ASDM is not aware of this. For outbound connections you have to specify the real destination port (which is remote) as a source-port in ASDM, because that is what will be the remote-port.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide